├── AntsDrv.sln ├── AntsDrv ├── AntsDrv.c ├── AntsDrv.inf ├── AntsDrv.rc ├── AntsDrv.vcxproj ├── AntsDrv.vcxproj.filters ├── AntsDrv.vcxproj.user ├── ApcInject.c ├── ApcInject.h ├── HlprDriverAlpc.c ├── HlprDriverAlpc.h └── object.h ├── CveCheck ├── CveCheck.vcxproj ├── CveCheck.vcxproj.filters ├── CveCheck.vcxproj.user ├── Cve_2016_0189.cpp ├── Cve_2016_0189.h ├── Debug │ ├── CveCheck.Build.CppClean.log │ ├── CveCheck.log │ ├── CveCheck.pch │ ├── CveCheck.tlog │ │ ├── CL.command.1.tlog │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── CveCheck.lastbuildstate │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ └── link.write.1.tlog │ ├── Cve_2016_0189.obj │ ├── HlprDllAlpc.obj │ ├── dllmain.obj │ ├── hook.obj │ ├── pch.obj │ ├── vc141.idb │ └── vc141.pdb ├── HlprDllAlpc.cpp ├── HlprDllAlpc.h ├── dllmain.cpp ├── framework.h ├── hook.cpp ├── hook.h ├── ntbasic.h ├── pch.cpp └── pch.h ├── CveCheckUI ├── BaseWinDlg.cpp ├── BaseWinDlg.h ├── CveCheckUI.ico ├── CveCheckUI.rc ├── CveCheckUI.vcxproj ├── CveCheckUI.vcxproj.filters ├── CveCheckUI.vcxproj.user ├── InterceptInfoDlg.cpp ├── InterceptInfoDlg.h ├── Main.cpp ├── Resource.h ├── StdAfx.cpp ├── StdAfx.h ├── framework.h ├── small.ico └── targetver.h ├── CveServer ├── CveServer.vcxproj ├── CveServer.vcxproj.filters ├── CveServer.vcxproj.user ├── CveServerMain.cpp ├── Debug │ ├── CveServer.log │ ├── CveServer.tlog │ │ ├── CL.command.1.tlog │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── CveServer.lastbuildstate │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ └── link.write.1.tlog │ ├── CveServerMain.obj │ ├── HlprServerAlpc.obj │ ├── HlprServerPip.obj │ ├── InjectMonProcessTest.obj │ ├── vc141.idb │ └── vc141.pdb ├── HlprServerAlpc.cpp ├── HlprServerAlpc.h ├── HlprServerPip.cpp ├── HlprServerPip.h ├── InjectMonProcess.h ├── InjectMonProcessTest.cpp ├── Release │ ├── CveServer.Build.CppClean.log │ ├── CveServer.log │ ├── CveServer.obj │ ├── CveServer.tlog │ │ ├── CL.command.1.tlog │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── CveServer.lastbuildstate │ │ ├── CveServer.write.1u.tlog │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ └── link.write.1.tlog │ ├── HlprServerAlpcPort.obj │ ├── InjectMonProcessTest.obj │ └── vc141.pdb ├── ntbasic.h └── x64 │ └── Debug │ ├── CveServer.log │ ├── CveServer.obj │ └── CveServer.tlog │ ├── CL.command.1.tlog │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ └── CveServer.lastbuildstate ├── README.md └── alpc ├── Debug ├── alpc.idb ├── alpc.log ├── alpc.pdb ├── alpc.tlog │ ├── CL.command.1.tlog │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ ├── Lib-link.read.1.tlog │ ├── Lib-link.write.1.tlog │ ├── Lib.command.1.tlog │ └── alpc.lastbuildstate └── ntlpcapi.obj ├── Release ├── alpc.Build.CppClean.log ├── alpc.log ├── alpc.pdb ├── alpc.tlog │ ├── CL.command.1.tlog │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ ├── Lib-link.read.1.tlog │ ├── Lib-link.write.1.tlog │ ├── Lib.command.1.tlog │ └── alpc.lastbuildstate └── ntlpcapi.obj ├── UserModeDefs.h ├── alpc.vcxproj ├── alpc.vcxproj.filters ├── alpc.vcxproj.user ├── ntbasic.h ├── ntdefs.h ├── ntlpcapi.c ├── ntlpcapi.h └── x64 └── Debug ├── alpc.log └── alpc.tlog ├── CL.command.1.tlog ├── CL.read.1.tlog ├── CL.write.1.tlog ├── alpc.lastbuildstate ├── link.command.1.tlog ├── link.read.1.tlog └── link.write.1.tlog /AntsDrv/AntsDrv.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; AntsDrv 3 | ;;; 4 | 5 | [Version] 6 | Signature = "$Windows NT$" 7 | ; TODO - Change the Class and ClassGuid to match the Load Order Group value, see https://msdn.microsoft.com/en-us/windows/hardware/gg462963 8 | ; Class = "ActivityMonitor" ;This is determined by the work this filter driver does 9 | ; ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value 10 | Class = "ActivityMonitor" 11 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 12 | Provider = %ManufacturerName% 13 | DriverVer = 14 | CatalogFile = AntsDrv.cat 15 | 16 | [DestinationDirs] 17 | DefaultDestDir = 12 18 | MiniFilter.DriverFiles = 12 ;%windir%\system32\drivers 19 | 20 | ;; 21 | ;; Default install sections 22 | ;; 23 | 24 | [DefaultInstall] 25 | OptionDesc = %ServiceDescription% 26 | CopyFiles = MiniFilter.DriverFiles 27 | 28 | [DefaultInstall.Services] 29 | AddService = %ServiceName%,,MiniFilter.Service 30 | 31 | ;; 32 | ;; Default uninstall sections 33 | ;; 34 | 35 | [DefaultUninstall] 36 | DelFiles = MiniFilter.DriverFiles 37 | 38 | [DefaultUninstall.Services] 39 | DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting 40 | 41 | ; 42 | ; Services Section 43 | ; 44 | 45 | [MiniFilter.Service] 46 | DisplayName = %ServiceName% 47 | Description = %ServiceDescription% 48 | ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\ 49 | Dependencies = "FltMgr" 50 | ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER 51 | StartType = 3 ;SERVICE_DEMAND_START 52 | ErrorControl = 1 ;SERVICE_ERROR_NORMAL 53 | ; TODO - Change the Load Order Group value 54 | ; LoadOrderGroup = "FSFilter Activity Monitor" 55 | LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_" 56 | AddReg = MiniFilter.AddRegistry 57 | 58 | ; 59 | ; Registry Modifications 60 | ; 61 | 62 | [MiniFilter.AddRegistry] 63 | HKR,,"DebugFlags",0x00010001 ,0x0 64 | HKR,,"SupportedFeatures",0x00010001,0x3 65 | HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance% 66 | HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude% 67 | HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags% 68 | 69 | ; 70 | ; Copy Files 71 | ; 72 | 73 | [MiniFilter.DriverFiles] 74 | %DriverName%.sys 75 | 76 | [SourceDisksFiles] 77 | AntsDrv.sys = 1,, 78 | 79 | [SourceDisksNames] 80 | 1 = %DiskId1%,,, 81 | 82 | ;; 83 | ;; String Section 84 | ;; 85 | 86 | [Strings] 87 | ; TODO - Add your manufacturer 88 | ManufacturerName = "Template" 89 | ServiceDescription = "AntsDrv Mini-Filter Driver" 90 | ServiceName = "AntsDrv" 91 | DriverName = "AntsDrv" 92 | DiskId1 = "AntsDrv Device Installation Disk" 93 | 94 | ;Instances specific information. 95 | DefaultInstance = "AntsDrv Instance" 96 | Instance1.Name = "AntsDrv Instance" 97 | ; TODO - Change the altitude value, see https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers 98 | Instance1.Altitude = "_TODO_Change_Altitude_appropriately_" 99 | Instance1.Flags = 0x0 ; Allow all attachments 100 | -------------------------------------------------------------------------------- /AntsDrv/AntsDrv.rc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | 5 | #define VER_FILETYPE VFT_DRV 6 | #define VER_FILESUBTYPE VFT2_DRV_SYSTEM 7 | #define VER_FILEDESCRIPTION_STR "AntsDrv Filter Driver" 8 | #define VER_INTERNALNAME_STR "AntsDrv.sys" 9 | 10 | #include "common.ver" 11 | -------------------------------------------------------------------------------- /AntsDrv/AntsDrv.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | {CFB7E59A-AB36-4B24-B28E-D34537FC1DAA} 51 | {f2f62967-0815-4fd7-9b86-6eedcac766eb} 52 | v4.5 53 | 12.0 54 | Debug 55 | Win32 56 | AntsDrv 57 | 58 | 59 | 60 | Windows7 61 | true 62 | WindowsKernelModeDriver10.0 63 | Driver 64 | WDM 65 | false 66 | 67 | 68 | Windows7 69 | false 70 | WindowsKernelModeDriver10.0 71 | Driver 72 | WDM 73 | false 74 | 75 | 76 | Windows10 77 | true 78 | WindowsKernelModeDriver10.0 79 | Driver 80 | WDM 81 | false 82 | 83 | 84 | Windows10 85 | false 86 | WindowsKernelModeDriver10.0 87 | Driver 88 | WDM 89 | Desktop 90 | 91 | 92 | Windows10 93 | true 94 | WindowsKernelModeDriver10.0 95 | Driver 96 | WDM 97 | 98 | 99 | Windows10 100 | false 101 | WindowsKernelModeDriver10.0 102 | Driver 103 | WDM 104 | 105 | 106 | Windows10 107 | true 108 | WindowsKernelModeDriver10.0 109 | Driver 110 | WDM 111 | 112 | 113 | Windows10 114 | false 115 | WindowsKernelModeDriver10.0 116 | Driver 117 | WDM 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | DbgengKernelDebugger 130 | 131 | 132 | DbgengKernelDebugger 133 | false 134 | 135 | 136 | DbgengKernelDebugger 137 | $(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH);$(CRT_IncludePath);$(KM_IncludePath);$(KIT_SHARED_IncludePath) 138 | 139 | 140 | DbgengKernelDebugger 141 | 142 | 143 | DbgengKernelDebugger 144 | 145 | 146 | DbgengKernelDebugger 147 | 148 | 149 | DbgengKernelDebugger 150 | 151 | 152 | DbgengKernelDebugger 153 | 154 | 155 | 156 | fltmgr.lib;%(AdditionalDependencies) 157 | 158 | 159 | 160 | 161 | false 162 | 163 | 164 | 165 | 166 | fltmgr.lib;%(AdditionalDependencies) 167 | 168 | 169 | 170 | 171 | fltmgr.lib;%(AdditionalDependencies) 172 | /INTEGRITYCHECK %(AdditionalOptions) 173 | false 174 | 175 | 176 | false 177 | Level3 178 | 179 | 180 | 181 | 182 | fltmgr.lib;%(AdditionalDependencies) 183 | /INTEGRITYCHECK %(AdditionalOptions) 184 | 185 | 186 | Level3 187 | false 188 | 189 | 190 | 191 | 192 | fltmgr.lib;%(AdditionalDependencies) 193 | 194 | 195 | 196 | 197 | fltmgr.lib;%(AdditionalDependencies) 198 | 199 | 200 | 201 | 202 | fltmgr.lib;%(AdditionalDependencies) 203 | 204 | 205 | 206 | 207 | fltmgr.lib;%(AdditionalDependencies) 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | -------------------------------------------------------------------------------- /AntsDrv/AntsDrv.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | {a781810d-b91c-4d4b-bee1-de651b3924a1} 22 | 23 | 24 | {85fb7e7f-cd3c-4cd0-b52e-0a2586aa46cb} 25 | 26 | 27 | 28 | 29 | Driver Files 30 | 31 | 32 | 33 | 34 | Source Files 35 | 36 | 37 | HlprDriverAlpc 38 | 39 | 40 | ApcInject 41 | 42 | 43 | 44 | 45 | Resource Files 46 | 47 | 48 | 49 | 50 | Header Files 51 | 52 | 53 | HlprDriverAlpc 54 | 55 | 56 | ApcInject 57 | 58 | 59 | -------------------------------------------------------------------------------- /AntsDrv/AntsDrv.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /AntsDrv/ApcInject.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "ApcInject.h" 6 | 7 | UINT32 HashString( 8 | PCHAR pcString 9 | ) 10 | { 11 | INT Counter = NULL; 12 | UINT32 Hash = 0, N = 0; 13 | while ((Counter = *pcString++)) 14 | { 15 | Hash ^= ((N++ & 1) == NULL) ? ((Hash << 5) ^ Counter ^ (Hash >> 1)) : 16 | (~((Hash << 9) ^ Counter ^ (Hash >> 3))); 17 | } 18 | 19 | return (Hash & 0x7FFFFFFF); 20 | } 21 | 22 | PVOID GetProcedureAddressByHash( 23 | PVOID ModuleBase, 24 | ULONG dwHash, 25 | ULONG Data 26 | ) 27 | { 28 | PIMAGE_DOS_HEADER ImageDosHeader = (PIMAGE_DOS_HEADER)ModuleBase; 29 | if (ImageDosHeader->e_magic == IMAGE_DOS_SIGNATURE) 30 | { 31 | PIMAGE_NT_HEADERS ImageNtHeaders = ((PIMAGE_NT_HEADERS)(RtlOffsetToPointer(ModuleBase, ImageDosHeader->e_lfanew))); 32 | if (ImageNtHeaders->Signature == IMAGE_NT_SIGNATURE) 33 | { 34 | if (ImageNtHeaders->OptionalHeader.DataDirectory[Data].VirtualAddress && Data < ImageNtHeaders->OptionalHeader.NumberOfRvaAndSizes) { 35 | PIMAGE_EXPORT_DIRECTORY ImageExport = (((PIMAGE_EXPORT_DIRECTORY)(PUCHAR)RtlOffsetToPointer(ModuleBase, ImageNtHeaders->OptionalHeader.DataDirectory[Data].VirtualAddress))); 36 | if (ImageExport) 37 | { 38 | PULONG AddressOfNames = ((PULONG)RtlOffsetToPointer(ModuleBase, ImageExport->AddressOfNames)); 39 | for (ULONG n = 0; n < ImageExport->NumberOfNames; ++n) 40 | { 41 | LPSTR Func = ((LPSTR)RtlOffsetToPointer(ModuleBase, AddressOfNames[n])); 42 | if (HashString(Func) == dwHash) 43 | { 44 | PULONG AddressOfFunctions = ((PULONG)RtlOffsetToPointer(ModuleBase, ImageExport->AddressOfFunctions)); 45 | PUSHORT AddressOfOrdinals = ((PUSHORT)RtlOffsetToPointer(ModuleBase, ImageExport->AddressOfNameOrdinals)); 46 | return ((PVOID)RtlOffsetToPointer(ModuleBase, AddressOfFunctions[AddressOfOrdinals[n]])); 47 | 48 | } 49 | } 50 | 51 | } 52 | } 53 | } 54 | } 55 | return NULL; 56 | } 57 | 58 | VOID NTAPI APCKernelRoutine( 59 | PKAPC Apc, 60 | PKNORMAL_ROUTINE* NormalRoutine, 61 | PVOID *SysArg1, 62 | PVOID *SysArg2, 63 | PVOID *Context 64 | ) 65 | { 66 | ExFreePool(Apc); 67 | return; 68 | } 69 | 70 | NTSTATUS DllInject( 71 | HANDLE ProcessId, 72 | PEPROCESS Peprocess, 73 | PETHREAD Pethread, 74 | BOOLEAN Alert 75 | ) 76 | { 77 | HANDLE hProcess; 78 | OBJECT_ATTRIBUTES oa = { sizeof(OBJECT_ATTRIBUTES) }; 79 | CLIENT_ID cidprocess = { 0 }; 80 | // Set Inject DLL 81 | CHAR DllFormatPath[] = "C:\\CveCheck.dll"; 82 | ULONG Size = strlen(DllFormatPath) + 1; 83 | PVOID pvMemory = NULL; 84 | 85 | cidprocess.UniqueProcess = ProcessId; 86 | cidprocess.UniqueThread = 0; 87 | if (NT_SUCCESS(ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cidprocess))) 88 | { 89 | if (NT_SUCCESS(ZwAllocateVirtualMemory(hProcess, &pvMemory, 0, &Size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE))) 90 | { 91 | KAPC_STATE KasState; 92 | PKAPC Apc; 93 | 94 | KeStackAttachProcess(Peprocess, &KasState); 95 | strcpy(pvMemory, DllFormatPath); 96 | KeUnstackDetachProcess(&KasState); 97 | Apc = (PKAPC)ExAllocatePool(NonPagedPool, sizeof(KAPC)); 98 | if (Apc && Sys_LoadLibrary) 99 | { 100 | KeInitializeApc(Apc, Pethread, 0, (PKKERNEL_ROUTINE)APCKernelRoutine, 0, (PKNORMAL_ROUTINE)Sys_LoadLibrary, UserMode, pvMemory); 101 | KeInsertQueueApc(Apc, 0, 0, IO_NO_INCREMENT); 102 | return STATUS_SUCCESS; 103 | } 104 | } 105 | ZwClose(hProcess); 106 | } 107 | 108 | return STATUS_NO_MEMORY; 109 | } 110 | 111 | VOID SirifefWorkerRoutine( 112 | PVOID Context 113 | ) 114 | { 115 | DllInject(((PSIRIFEF_INJECTION_DATA)Context)->ProcessId, ((PSIRIFEF_INJECTION_DATA)Context)->Process, ((PSIRIFEF_INJECTION_DATA)Context)->Ethread, FALSE); 116 | KeSetEvent(&((PSIRIFEF_INJECTION_DATA)Context)->Event, (KPRIORITY)0, FALSE); 117 | return; 118 | } 119 | 120 | VOID NTAPI APCInjectorRoutine( 121 | PKAPC Apc, 122 | PKNORMAL_ROUTINE *NormalRoutine, 123 | PVOID *SystemArgument1, 124 | PVOID *SystemArgument2, 125 | PVOID* Context 126 | ) 127 | { 128 | SIRIFEF_INJECTION_DATA Sf; 129 | RtlSecureZeroMemory(&Sf, sizeof(SIRIFEF_INJECTION_DATA)); 130 | ExFreePool(Apc); 131 | Sf.Ethread = KeGetCurrentThread(); 132 | Sf.Process = IoGetCurrentProcess(); 133 | Sf.ProcessId = PsGetCurrentProcessId(); 134 | KeInitializeEvent(&Sf.Event, NotificationEvent, FALSE); 135 | ExInitializeWorkItem(&Sf.WorkItem, (PWORKER_THREAD_ROUTINE)SirifefWorkerRoutine, &Sf); 136 | ExQueueWorkItem(&Sf.WorkItem, DelayedWorkQueue); 137 | KeWaitForSingleObject(&Sf.Event, Executive, KernelMode, TRUE, 0); 138 | return; 139 | 140 | } -------------------------------------------------------------------------------- /AntsDrv/ApcInject.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | /************************************************************************* 6 | APC Inject Golabe Var 7 | *************************************************************************/ 8 | PVOID LoadLibrary; 9 | typedef PVOID(*P_LoadLibraryExA)( 10 | LPCSTR lpLibFileName, 11 | HANDLE hFile, 12 | ULONG dwFlags 13 | ); 14 | P_LoadLibraryExA Sys_LoadLibrary; 15 | 16 | typedef enum _KAPC_ENVIRONMENT 17 | { 18 | OriginalApcEnvironment, 19 | AttachedApcEnvironment, 20 | CurrentApcEnvironment, 21 | InsertApcEnvironment 22 | }KAPC_ENVIRONMENT, *PKAPC_ENVIRONMENT; 23 | 24 | typedef VOID(NTAPI *PKNORMAL_ROUTINE)( 25 | PVOID NormalContext, 26 | PVOID SystemArgument1, 27 | PVOID SystemArgument2 28 | ); 29 | 30 | typedef VOID(NTAPI *PKRUNDOWN_ROUTINE)( 31 | PRKAPC Apc 32 | ); 33 | 34 | typedef VOID KKERNEL_ROUTINE( 35 | PRKAPC Apc, 36 | PKNORMAL_ROUTINE *NormalRoutine, 37 | PVOID *NormalContext, 38 | PVOID *SystemArgument1, 39 | PVOID *SystemArgument2 40 | ); 41 | 42 | typedef KKERNEL_ROUTINE(NTAPI *PKKERNEL_ROUTINE); 43 | 44 | void KeInitializeApc( 45 | PRKAPC Apc, 46 | PRKTHREAD Thread, 47 | KAPC_ENVIRONMENT Environment, 48 | PKKERNEL_ROUTINE KernelRoutine, 49 | PKRUNDOWN_ROUTINE RundownRoutine, 50 | PKNORMAL_ROUTINE NormalRoutine, 51 | KPROCESSOR_MODE ProcessorMode, 52 | PVOID NormalContext 53 | ); 54 | 55 | BOOLEAN KeInsertQueueApc( 56 | PRKAPC Apc, 57 | PVOID SystemArgument1, 58 | PVOID SystemArgument2, 59 | KPRIORITY Increment 60 | ); 61 | 62 | typedef struct _SIRIFEF_INJECTION_DATA 63 | { 64 | BOOLEAN Executing; 65 | PEPROCESS Process; 66 | PETHREAD Ethread; 67 | KEVENT Event; 68 | WORK_QUEUE_ITEM WorkItem; 69 | ULONG ProcessId; 70 | 71 | }SIRIFEF_INJECTION_DATA, *PSIRIFEF_INJECTION_DATA; 72 | 73 | PVOID GetProcedureAddressByHash(PVOID ModuleBase, ULONG dwHash, ULONG Data); 74 | 75 | VOID NTAPI APCInjectorRoutine( 76 | PKAPC Apc, 77 | PKNORMAL_ROUTINE *NormalRoutine, 78 | PVOID *SystemArgument1, 79 | PVOID *SystemArgument2, 80 | PVOID* Context 81 | ); 82 | 83 | VOID SirifefWorkerRoutine(PVOID Context); -------------------------------------------------------------------------------- /AntsDrv/HlprDriverAlpc.c: -------------------------------------------------------------------------------- 1 | #include "HlprDriverAlpc.h" 2 | #include 3 | 4 | #define MSG_LEN 0x100 5 | #define HEAP_ZERO_MEMORY 0x00000008 6 | 7 | // 事件句柄 8 | KEVENT g_kEvent = { 0 }; 9 | PKEVENT g_pInjectEvent; 10 | 11 | LPVOID CreateMsgMem( 12 | PPORT_MESSAGE PortMessage, 13 | SIZE_T MessageSize, 14 | LPVOID Message 15 | ) 16 | { 17 | LPVOID lpMem = ExAllocatePoolWithTag(PAGE_READWRITE, MessageSize + sizeof(PORT_MESSAGE), 'TAG'); 18 | RtlMoveMemory(lpMem, PortMessage, sizeof(PORT_MESSAGE)); 19 | RtlMoveMemory((BYTE*)lpMem + sizeof(PORT_MESSAGE), Message, MessageSize); 20 | return(lpMem); 21 | } 22 | 23 | NTSTATUS InitAlpcAddrs( 24 | ) 25 | /* 26 | NtConnectPort 27 | NtCompleteConnectPort 28 | NtRequestWaitReplyPort 29 | NtReplyWaitReplyPort 30 | NtAlpcSendWaitReceivePort 31 | */ 32 | { 33 | NTSTATUS status = STATUS_UNSUCCESSFUL; 34 | UNICODE_STRING NtAlpcConnectPort; 35 | UNICODE_STRING NtAlpcSendWaitReceivePort; 36 | RtlInitUnicodeString(&NtAlpcConnectPort, L"ZwAlpcConnectPort"); 37 | RtlInitUnicodeString(&NtAlpcSendWaitReceivePort, L"ZwAlpcSendWaitReceivePort"); 38 | Sys_NtAlpcConnectPort = (P_NtAlpcConnectPort)MmGetSystemRoutineAddress(&NtAlpcConnectPort); 39 | Sys_NtAlpcSendWaitReceivePort = (P_NtAlpcSendWaitReceivePort)MmGetSystemRoutineAddress(&NtAlpcSendWaitReceivePort); 40 | 41 | // Sys_NtAlpcConnectPort 42 | if (Sys_NtAlpcSendWaitReceivePort &&Sys_NtAlpcConnectPort) { 43 | return STATUS_SUCCESS; 44 | } 45 | 46 | return status; 47 | } 48 | 49 | // 50 | // 处理服务端的数据 51 | // 52 | VOID AlpcRecvServerMsgROUTINE( 53 | _In_ PVOID StartContext 54 | ) 55 | { 56 | PORT_MESSAGE lpMem; 57 | SIZE_T nLen = 0x500; // MAX Msg Len 58 | NTSTATUS ntRet; 59 | 60 | BOOL bBreak = TRUE; 61 | while (bBreak) 62 | { 63 | RtlSecureZeroMemory(&lpMem, sizeof(PORT_MESSAGE)); 64 | ntRet = Sys_NtAlpcSendWaitReceivePort(g_DriverhPort, 0, NULL, NULL, (PPORT_MESSAGE)&lpMem, &nLen, NULL, NULL); 65 | if (!ntRet) 66 | { 67 | // 解析UniverMsg结构 68 | do 69 | { 70 | UNIVERMSG univermsg = *(UNIVERMSG*)((BYTE*)&lpMem + sizeof(PORT_MESSAGE)); 71 | // HANDLE hEvent = univermsg.Event; 72 | switch (univermsg.ControlId) 73 | { 74 | /* 75 | 处理服务端发来的上线成功Msg, 解析r3创建的事件结构 76 | */ 77 | case ALPC_DRIVER_CONNECTSERVER_RECV: 78 | { 79 | // 单线程:创建事件消息 80 | HANDLE hMyThread = NULL; 81 | //初始化内核事件 82 | KeInitializeEvent(&g_kEvent, NotificationEvent, FALSE); 83 | 84 | // r3事件句柄转换 85 | //if (hEvent) 86 | //{ 87 | // ntRet = ObReferenceObjectByHandle( 88 | // hEvent, 89 | // EVENT_MODIFY_STATE, // SYNCHRONIZE 90 | // *ExEventObjectType, 91 | // KernelMode, 92 | // (PVOID)(&g_pInjectEvent), 93 | // NULL); 94 | // if (!NT_SUCCESS(ntRet)) 95 | // { 96 | // DbgPrint("ObReferenceObjectByHandle Error[0x%X]\n", ntRet); 97 | // g_pInjectEvent = NULL; 98 | // break; 99 | // } 100 | //} 101 | } 102 | break; 103 | case ALPC_DLL_INJECT_SUCCESS: 104 | case ALPC_DLL_INJECT_FAILUER: 105 | { 106 | // 恢复 107 | // KeSetEvent((PRKEVENT)g_pInjectEvent, IO_NO_INCREMENT, TRUE); 108 | if (&g_kEvent) 109 | KeSetEvent(&g_kEvent, IO_NO_INCREMENT, FALSE); 110 | } 111 | break; 112 | default: 113 | break; 114 | } 115 | } while (FALSE); 116 | } 117 | } 118 | } 119 | 120 | NTSTATUS AlpcDriverStart( 121 | ) 122 | { 123 | UNICODE_STRING ServerPort; 124 | PORT_MESSAGE pmSend; 125 | PORT_MESSAGE pmReceive; 126 | NTSTATUS ntRet; 127 | BOOLEAN bBreak; 128 | SIZE_T nLen; 129 | PVOID lpMem; 130 | OBJECT_ATTRIBUTES objPort; 131 | ALPC_PORT_ATTRIBUTES serverPortAttr; 132 | 133 | RtlInitUnicodeString(&ServerPort, L"\\RPC Control\\CveDriverPort"); 134 | 135 | // Send ALPC_DRIVER_CONNECTSERVER 136 | UNIVERMSG msg; 137 | RtlSecureZeroMemory(&pmSend, sizeof(pmSend)); 138 | RtlSecureZeroMemory(&msg, sizeof(UNIVERMSG)); 139 | msg.ControlId = ALPC_DRIVER_CONNECTSERVER; 140 | msg.Event = 0; 141 | pmSend.u1.s1.DataLength = sizeof(msg); 142 | pmSend.u1.s1.TotalLength = pmSend.u1.s1.DataLength + sizeof(PORT_MESSAGE); 143 | lpMem = CreateMsgMem(&pmSend, sizeof(msg), &msg); 144 | ntRet = Sys_NtAlpcConnectPort( 145 | &g_DriverhPort, 146 | &ServerPort, 147 | NULL, 148 | NULL, // PortAttributes 149 | 0, // Flags 150 | 0, // RequiredServerSid 151 | (PPORT_MESSAGE)lpMem, 152 | NULL, 153 | 0, // OutMessageAttributes 154 | 0, // InMessageAttributes 155 | 0); // timeout 156 | DbgPrint("[+]Status: 0x%X\r\n", ntRet); 157 | ExFreePoolWithTag(lpMem, 'TAG'); 158 | lpMem = NULL; 159 | // 160 | // Create Thread wait Server Msg 161 | // PsTerminateSystemThread 162 | // 163 | PsCreateSystemThread( 164 | &g_Recvhandle, 165 | THREAD_ALL_ACCESS, 166 | NULL, 167 | NtCurrentProcess(), 168 | NULL, 169 | (PKSTART_ROUTINE)AlpcRecvServerMsgROUTINE, 170 | NULL); 171 | 172 | return STATUS_UNSUCCESSFUL; 173 | } 174 | 175 | NTSTATUS AlpcSendMsgtoInjectDll( 176 | DIRVER_INJECT_DLL* Cve_Info 177 | ) 178 | { 179 | PORT_MESSAGE pmSend; 180 | PVOID lpMem; 181 | 182 | RtlSecureZeroMemory(&pmSend, sizeof(pmSend)); 183 | pmSend.u1.s1.DataLength = sizeof(DIRVER_INJECT_DLL); 184 | pmSend.u1.s1.TotalLength = pmSend.u1.s1.DataLength + sizeof(PORT_MESSAGE); 185 | lpMem = CreateMsgMem(&pmSend, pmSend.u1.s1.DataLength, Cve_Info); 186 | if (g_DriverhPort > 0 && Sys_NtAlpcSendWaitReceivePort && lpMem) 187 | { 188 | NTSTATUS nRet = STATUS_SUCCESS; 189 | nRet = Sys_NtAlpcSendWaitReceivePort(g_DriverhPort, 0, (PPORT_MESSAGE)lpMem, 0, NULL, NULL, 0, 0); 190 | ExFreePoolWithTag(lpMem, 'TAG'); 191 | return nRet; 192 | } 193 | else 194 | return STATUS_UNSUCCESSFUL; 195 | } -------------------------------------------------------------------------------- /AntsDrv/HlprDriverAlpc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | /************************************************************************* 5 | ALPC Struct and Function 6 | *************************************************************************/ 7 | typedef struct _PORT_VIEW 8 | { 9 | ULONG Length; 10 | HANDLE SectionHandle; 11 | ULONG SectionOffset; 12 | SIZE_T ViewSize; 13 | PVOID ViewBase; 14 | PVOID ViewRemoteBase; 15 | } PORT_VIEW, *PPORT_VIEW; 16 | 17 | typedef struct _REMOTE_PORT_VIEW 18 | { 19 | ULONG Length; 20 | SIZE_T ViewSize; 21 | PVOID ViewBase; 22 | } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; 23 | 24 | typedef struct _PORT_MESSAGE 25 | { 26 | union 27 | { 28 | struct 29 | { 30 | CSHORT DataLength; 31 | CSHORT TotalLength; 32 | } s1; 33 | ULONG Length; 34 | } u1; 35 | union 36 | { 37 | struct 38 | { 39 | CSHORT Type; 40 | CSHORT DataInfoOffset; 41 | } s2; 42 | ULONG ZeroInit; 43 | } u2; 44 | union 45 | { 46 | CLIENT_ID ClientId; 47 | QUAD DoNotUseThisField; 48 | }; 49 | ULONG MessageId; 50 | union 51 | { 52 | SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages 53 | ULONG CallbackId; // only valid for LPC_REQUEST messages 54 | }; 55 | } PORT_MESSAGE, *PPORT_MESSAGE; 56 | 57 | typedef struct _ALPC_MESSAGE_ATTRIBUTES 58 | { 59 | ULONG AllocatedAttributes; 60 | ULONG ValidAttributes; 61 | } ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; 62 | 63 | // symbols 64 | typedef struct _ALPC_PORT_ATTRIBUTES 65 | { 66 | ULONG Flags; 67 | SECURITY_QUALITY_OF_SERVICE SecurityQos; 68 | SIZE_T MaxMessageLength; 69 | SIZE_T MemoryBandwidth; 70 | SIZE_T MaxPoolUsage; 71 | SIZE_T MaxSectionSize; 72 | SIZE_T MaxViewSize; 73 | SIZE_T MaxTotalSectionSize; 74 | ULONG DupObjectTypes; 75 | #ifdef _M_X64 76 | ULONG Reserved; 77 | #endif 78 | } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; 79 | 80 | typedef NTSTATUS 81 | (NTAPI* 82 | P_NtAlpcConnectPort)( 83 | __out PHANDLE PortHandle, 84 | __in PUNICODE_STRING PortName, 85 | __in POBJECT_ATTRIBUTES ObjectAttributes, 86 | __in_opt PALPC_PORT_ATTRIBUTES PortAttributes, 87 | __in ULONG Flags, 88 | __in_opt PSID RequiredServerSid, 89 | __inout PPORT_MESSAGE ConnectionMessage, 90 | __inout_opt PULONG BufferLength, 91 | __inout_opt PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes, 92 | __inout_opt PALPC_MESSAGE_ATTRIBUTES InMessageAttributes, 93 | __in_opt PLARGE_INTEGER Timeout 94 | ); 95 | P_NtAlpcConnectPort Sys_NtAlpcConnectPort; 96 | 97 | typedef NTSTATUS 98 | (NTAPI* 99 | P_NtAlpcSendWaitReceivePort)( 100 | __in HANDLE PortHandle, 101 | __in ULONG Flags, 102 | __in_opt PPORT_MESSAGE SendMessage, 103 | __in_opt PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes, 104 | __inout_opt PPORT_MESSAGE ReceiveMessage, 105 | __inout_opt PULONG BufferLength, 106 | __inout_opt PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes, 107 | __in_opt PLARGE_INTEGER Timeout 108 | ); 109 | P_NtAlpcSendWaitReceivePort Sys_NtAlpcSendWaitReceivePort; 110 | 111 | enum CommandofCodeID 112 | { 113 | ALPC_DRIVER_DLL_INJECTENABLE = 1, 114 | ALPC_DRIVER_DLL_INJECTDISABLE, 115 | 116 | ALPC_DRIVER_CONNECTSERVER = 10, 117 | ALPC_DRIVER_CONNECTSERVER_RECV, 118 | ALPC_DLL_CONNECTSERVER, 119 | ALPC_DLL_CONNECTSERVER_RECV, 120 | ALPC_UNCONNECTSERVER, 121 | 122 | ALPC_DLL_MONITOR_CVE = 30, 123 | ALPC_DLL_INJECT_SUCCESS, 124 | ALPC_DLL_INJECT_FAILUER 125 | }; 126 | 127 | // Exec struct 128 | typedef struct _UNIVERMSG 129 | { 130 | ULONG ControlId; // Command function Id 131 | ULONG Event; // Event 132 | }UNIVERMSG, *PUNIVERMSG; 133 | 134 | // DIRVER_INJECT_DLL 135 | typedef struct _DIRVER_INJECT_DLL 136 | { 137 | UNIVERMSG univermsg; // ALL Port Analys MSG 138 | PVOID ImageBase; 139 | ULONG Pids; 140 | wchar_t MsgData[10]; 141 | }DIRVER_INJECT_DLL, *PDIRVER_INJECT_DLL; 142 | 143 | 144 | 145 | HANDLE g_DriverhPort; 146 | 147 | // 处理线程句柄 148 | HANDLE g_Recvhandle; 149 | 150 | NTSTATUS InitAlpcAddrs(); 151 | NTSTATUS AlpcDriverStart(); 152 | NTSTATUS AlpcSendMsgtoInjectDll(DIRVER_INJECT_DLL* lpMem); -------------------------------------------------------------------------------- /AntsDrv/object.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | typedef struct _OBJECT_TYPE_INITIALIZER 5 | { 6 | USHORT Length; 7 | USHORT type; 8 | PVOID ObjectTypeCode; 9 | PVOID InvalidAttributes; 10 | GENERIC_MAPPING GenericMapping; 11 | PVOID ValidAccessMask; 12 | PVOID RetainAccess; 13 | POOL_TYPE PoolType; 14 | PVOID DefaultPagedPoolCharge; 15 | PVOID DefaultNonPagedPoolCharge; 16 | PVOID DumpProcedure; 17 | PVOID OpenProcedure; 18 | PVOID CloseProcedure; 19 | PVOID DeleteProcedure; 20 | PVOID ParseProcedure; 21 | PVOID SecurityProcedure; 22 | PVOID QueryNameProcedure; 23 | USHORT OkayToCloseProcedure; 24 | } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; 25 | 26 | typedef struct _OBJECT_TYPE 27 | { 28 | LIST_ENTRY TypeList; // : _LIST_ENTRY 29 | UNICODE_STRING Name; // : _UNICODE_STRING 30 | PVOID DefaultObject; // : Ptr32 Void 31 | ULONG Index; // : UChar 32 | ULONG TotalNumberOfObjects; // : Uint4B 33 | ULONG TotalNumberOfHandles; // : Uint4B 34 | ULONG HighWaterNumberOfObjects; // : Uint4B 35 | ULONG HighWaterNumberOfHandles; // : Uint4B 36 | OBJECT_TYPE_INITIALIZER TypeInfo; // : _OBJECT_TYPE_INITIALIZER 37 | PVOID TypeLock; // : _EX_PUSH_LOCK 38 | ULONG Key; // : Uint4B 39 | LIST_ENTRY CallbackList; // : _LIST_ENTRY 40 | } OBJECT_TYPE, *POBJECT_TYPE; 41 | 42 | typedef struct _OBJECT_CREATE_INFORMATION 43 | { 44 | ULONG Attributes; 45 | HANDLE RootDirectory; 46 | KPROCESSOR_MODE ProbeMode; 47 | ULONG PagedPoolCharge; 48 | ULONG NonPagedPoolCharge; 49 | ULONG SecurityDescriptorCharge; 50 | PVOID SecurityDescriptor; 51 | PSECURITY_QUALITY_OF_SERVICE SecurityQos; 52 | SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; 53 | } OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION; 54 | 55 | typedef struct _OBJECT_HEADER 56 | { 57 | //对象头部的指针计数,对对象头指针引用的计数 58 | LONG_PTR PointerCount; 59 | union 60 | { 61 | //句柄引用计数 62 | LONG_PTR HandleCount; 63 | PVOID NextToFree; 64 | }; 65 | POBJECT_TYPE Type; 66 | //OBJECT_HEADER_NAME_INFO相对于此结构的偏移 67 | UCHAR NameInfoOffset; 68 | //OBJECT_HEADER_HANDLE_INFO相对于此结构的偏移 69 | UCHAR HandleInfoOffset; 70 | //OBJECT_HEADER_QUOTA_INFO相对于此结构的偏移 71 | UCHAR QuotaInfoOffset; 72 | UCHAR Flags; 73 | 74 | union 75 | { 76 | //创建对象是用于创建对象附加头的结构 77 | //里面保存了和附加对象头类似的信息 78 | PVOID ObjectCreateInfo; 79 | PVOID QuotaBlockCharged; 80 | }; 81 | PSECURITY_DESCRIPTOR SecurityDescriptor; 82 | QUAD Body; 83 | } OBJECT_HEADER, *POBJECT_HEADER; 84 | -------------------------------------------------------------------------------- /CveCheck/CveCheck.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {FCCBA2F6-B17C-435C-81AF-39C5D0321119} 24 | Win32Proj 25 | CveCheck 26 | 10.0.17763.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v141 33 | Unicode 34 | false 35 | 36 | 37 | DynamicLibrary 38 | false 39 | v141 40 | true 41 | Unicode 42 | 43 | 44 | DynamicLibrary 45 | true 46 | v141 47 | Unicode 48 | false 49 | 50 | 51 | DynamicLibrary 52 | false 53 | v141 54 | true 55 | Unicode 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | true 77 | 78 | 79 | true 80 | 81 | 82 | false 83 | 84 | 85 | false 86 | 87 | 88 | 89 | Use 90 | Level3 91 | Disabled 92 | false 93 | WIN32;_DEBUG;CVECHECK_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 94 | true 95 | pch.h 96 | 97 | 98 | Windows 99 | true 100 | false 101 | ..\lib\$(platform)\;%(AdditionalLibraryDirectories) 102 | 103 | 104 | 105 | 106 | Use 107 | Level3 108 | Disabled 109 | false 110 | _DEBUG;CVECHECK_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 111 | true 112 | pch.h 113 | 114 | 115 | Windows 116 | true 117 | false 118 | 119 | 120 | 121 | 122 | Use 123 | Level3 124 | MaxSpeed 125 | true 126 | true 127 | true 128 | WIN32;NDEBUG;CVECHECK_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 129 | true 130 | pch.h 131 | 132 | 133 | Windows 134 | true 135 | true 136 | true 137 | false 138 | 139 | 140 | 141 | 142 | Use 143 | Level3 144 | MaxSpeed 145 | true 146 | true 147 | true 148 | NDEBUG;CVECHECK_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 149 | true 150 | pch.h 151 | 152 | 153 | Windows 154 | true 155 | true 156 | true 157 | false 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | NotUsing 171 | 172 | 173 | 174 | NotUsing 175 | 176 | 177 | 178 | Create 179 | Create 180 | Create 181 | Create 182 | 183 | 184 | 185 | 186 | 187 | -------------------------------------------------------------------------------- /CveCheck/CveCheck.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {359273ac-511f-40a9-a3e2-dadd915b10f2} 18 | 19 | 20 | {49080845-ed79-416b-9aa1-d2bf924e39a4} 21 | 22 | 23 | {8813ac34-f4b7-4460-99a1-c371a2281c92} 24 | 25 | 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | hook 35 | 36 | 37 | HlprDLLAlpc 38 | 39 | 40 | Header Files 41 | 42 | 43 | cvecheck 44 | 45 | 46 | 47 | 48 | Source Files 49 | 50 | 51 | Source Files 52 | 53 | 54 | hook 55 | 56 | 57 | HlprDLLAlpc 58 | 59 | 60 | cvecheck 61 | 62 | 63 | -------------------------------------------------------------------------------- /CveCheck/CveCheck.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /CveCheck/Cve_2016_0189.cpp: -------------------------------------------------------------------------------- 1 | #include "hook.h" 2 | #include "Cve_2016_0189.h" 3 | #include "HlprDllAlpc.h" 4 | #include 5 | 6 | typedef HRESULT (WINAPI *FnVariantChangeTypeExHook)(VARIANTARG *pvargDest, const VARIANTARG *pvarSrc, LCID lcid, USHORT wFlags, VARTYPE vt); 7 | FnVariantChangeTypeExHook syscall_VariantChangeTypeEx; 8 | 9 | HANDLE g_160189evt; 10 | 11 | HRESULT STDAPICALLTYPE VariantChangeTypeExHook_Callback(_Inout_ VARIANTARG * pvargDest, 12 | _In_ const VARIANTARG * pvarSrc, _In_ LCID lcid, _In_ USHORT wFlags, _In_ VARTYPE vt) 13 | { 14 | ULONG old_cElements = 0, old_cElements1 = 0; 15 | HRESULT nRet; 16 | if ((lcid == 0x400) 17 | && (wFlags == VARIANT_ALPHABOOL) 18 | && (vt == VT_I4) 19 | && (pvarSrc->vt == VT_DISPATCH) 20 | // (pvarSrc->parray->cDims <= 0x10) && 21 | // (pvarSrc->parray->fFeatures & 0x880) && 22 | && (pvarSrc->parray->rgsabound[0].cElements > 1) 23 | ) 24 | { 25 | 26 | MessageBox(NULL, L"1 Check CVE-2016-0189", L"CVE", MB_OK); 27 | 28 | old_cElements = pvarSrc->parray->rgsabound[0].cElements; 29 | // old_cElements1 = pvarSrc->parray->rgsabound[1].cElements; 30 | nRet = syscall_VariantChangeTypeEx(pvargDest, pvarSrc, lcid, wFlags, vt); 31 | 32 | HANDLE Thread = NULL; 33 | MONITORCVEINFO moncveinfo; 34 | RtlSecureZeroMemory(&moncveinfo, sizeof(MONITORCVEINFO)); 35 | moncveinfo.univermsg.ControlId = ALPC_DLL_MONITOR_CVE; 36 | lstrcpyW(moncveinfo.cvename, L"CVE-2016-0189"); 37 | moncveinfo.Pid = GetCurrentProcessId(); 38 | // Send Msg to Server CVE_2016_0819 Hide 39 | HlprAlpcSendMsg(&moncveinfo, sizeof(MONITORCVEINFO)); 40 | // Test : Event Wait User action: block or Permit 41 | if (g_160189evt) 42 | WaitForSingleObject(g_160189evt, INFINITE); 43 | 44 | // 调用后如果数组二维大小小于调用前,视为cve-2016-0189 45 | if (pvarSrc->parray->rgsabound[0].cElements < old_cElements) 46 | //(pvarSrc->parray->rgsabound[1].cElements != old_cElements1)) 47 | { 48 | MessageBox(NULL, L"VariantChangeTypeExHook_Callback Check Cve_2016_0189", L"CVE", MB_OK); 49 | 50 | // ALPC Send 51 | // (warning and clears) or (Send UI warning && wait User Handle) 52 | HANDLE Thread = NULL; 53 | MONITORCVEINFO moncveinfo; 54 | RtlSecureZeroMemory(&moncveinfo, sizeof(MONITORCVEINFO)); 55 | moncveinfo.univermsg.ControlId = ALPC_DLL_MONITOR_CVE; 56 | lstrcpyW(moncveinfo.cvename, L"CVE-2016-0189"); 57 | moncveinfo.Pid = GetCurrentProcessId(); 58 | } 59 | return nRet; 60 | } 61 | else 62 | return syscall_VariantChangeTypeEx(pvargDest, pvarSrc, lcid, wFlags, vt); 63 | } 64 | 65 | // Init VariantChangeTypeEx Hook 66 | NTSTATUS InitVariantChangeTypeExHook( 67 | const ULONG oleauthandle 68 | ) 69 | { 70 | // Get VariantChangeTypeEx Address Save Old Addr or Virtual Mem Copy Opecode to VirMemory 71 | PVOID VariantChangeTypeExaddr = GetProcAddress((HMODULE)oleauthandle, "VariantChangeTypeEx"); 72 | 73 | MessageBox(NULL, L"VariantChangeTypeExaddr", L"Inject", MB_OK); 74 | 75 | do 76 | { 77 | // Check ArgAddr 78 | if (!VariantChangeTypeExaddr || !VariantChangeTypeExHook_Callback) 79 | break; 80 | 81 | // inline Hook 82 | syscall_VariantChangeTypeEx = (FnVariantChangeTypeExHook)Dll_Hook(VariantChangeTypeExaddr, VariantChangeTypeExHook_Callback); 83 | 84 | } while (false); 85 | 86 | return 0; 87 | } 88 | 89 | NTSTATUS EnableVariantChangeTypeExHook() 90 | { 91 | return 0; 92 | } 93 | 94 | NTSTATUS DisableVariantChangeTypeExHook() 95 | { 96 | return 0; 97 | } 98 | 99 | NTSTATUS UnVariantChangeTypeExHook() 100 | { 101 | return 0; 102 | } 103 | 104 | int Cve_2016_0189_CheckTryInstall(const ULONG ImageBase) 105 | { 106 | g_160189evt = CreateEvent(NULL, FALSE, FALSE, L"\\Evnt\\CVE160819"); 107 | InitVariantChangeTypeExHook(ImageBase); 108 | return 0; 109 | } 110 | 111 | int Cve_2016_0189_CheckDisable() 112 | { 113 | return 0; 114 | } 115 | 116 | int Cve_2016_0189_CheckUninstall() 117 | { 118 | return 0; 119 | } -------------------------------------------------------------------------------- /CveCheck/Cve_2016_0189.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | extern "C" 5 | { 6 | int Cve_2016_0189_CheckTryInstall(const ULONG ImageBase); 7 | int Cve_2016_0189_CheckDisable(); 8 | int Cve_2016_0189_CheckUninstall(); 9 | } 10 | -------------------------------------------------------------------------------- /CveCheck/Debug/CveCheck.Build.CppClean.log: -------------------------------------------------------------------------------- 1 | f:\exp\cvecheck\debug\cvecheck.pch 2 | f:\exp\cvecheck\debug\vc141.pdb 3 | f:\exp\cvecheck\debug\vc141.idb 4 | f:\exp\cvecheck\debug\pch.obj 5 | f:\exp\cvecheck\debug\cve_2016_0189.obj 6 | f:\exp\cvecheck\debug\cvecheck.tlog\cl.command.1.tlog 7 | f:\exp\cvecheck\debug\cvecheck.tlog\cl.read.1.tlog 8 | f:\exp\cvecheck\debug\cvecheck.tlog\cl.write.1.tlog 9 | -------------------------------------------------------------------------------- /CveCheck/Debug/CveCheck.log: -------------------------------------------------------------------------------- 1 |  pch.cpp 2 | Cve_2016_0189.cpp 3 | f:\exp\cvecheck\cve_2016_0189.cpp(78): warning C4551: function call missing argument list 4 | HlprDllAlpc.cpp 5 | f:\exp\cvecheck\hlprdllalpc.cpp(243): warning C4101: 'nLen': unreferenced local variable 6 | f:\exp\cvecheck\hlprdllalpc.cpp(242): warning C4101: 'bBreak': unreferenced local variable 7 | f:\exp\cvecheck\hlprdllalpc.cpp(240): warning C4101: 'pmReceive': unreferenced local variable 8 | Generating Code... 9 | dllmain.cpp 10 | hook.cpp 11 | f:\exp\cvecheck\hook.cpp(94): warning C4102: 'skip_e9_rewrite': unreferenced label 12 | Generating Code... 13 | CveCheck.vcxproj -> F:\Exp\Debug\CveCheck.dll 14 | -------------------------------------------------------------------------------- /CveCheck/Debug/CveCheck.pch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/CveCheck.pch -------------------------------------------------------------------------------- /CveCheck/Debug/CveCheck.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/CveCheck.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /CveCheck/Debug/CveCheck.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/CveCheck.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /CveCheck/Debug/CveCheck.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/CveCheck.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /CveCheck/Debug/CveCheck.tlog/CveCheck.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 2 | Debug|Win32|F:\Exp\| 3 | -------------------------------------------------------------------------------- /CveCheck/Debug/CveCheck.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/CveCheck.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /CveCheck/Debug/CveCheck.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/CveCheck.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /CveCheck/Debug/CveCheck.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/CveCheck.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /CveCheck/Debug/Cve_2016_0189.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/Cve_2016_0189.obj -------------------------------------------------------------------------------- /CveCheck/Debug/HlprDllAlpc.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/HlprDllAlpc.obj -------------------------------------------------------------------------------- /CveCheck/Debug/dllmain.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/dllmain.obj -------------------------------------------------------------------------------- /CveCheck/Debug/hook.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/hook.obj -------------------------------------------------------------------------------- /CveCheck/Debug/pch.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/pch.obj -------------------------------------------------------------------------------- /CveCheck/Debug/vc141.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/vc141.idb -------------------------------------------------------------------------------- /CveCheck/Debug/vc141.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheck/Debug/vc141.pdb -------------------------------------------------------------------------------- /CveCheck/HlprDllAlpc.cpp: -------------------------------------------------------------------------------- 1 | #include "ntbasic.h" 2 | #include "HlprDllAlpc.h" 3 | #define MSG_LEN 128 4 | 5 | #include 6 | 7 | /************************************************************************* 8 | lnk lib extern 9 | *************************************************************************/ 10 | extern "C" 11 | { 12 | typedef struct _PORT_VIEW 13 | { 14 | ULONG Length; 15 | HANDLE SectionHandle; 16 | ULONG SectionOffset; 17 | SIZE_T ViewSize; 18 | PVOID ViewBase; 19 | PVOID ViewRemoteBase; 20 | } PORT_VIEW, *PPORT_VIEW; 21 | 22 | typedef struct _REMOTE_PORT_VIEW 23 | { 24 | ULONG Length; 25 | SIZE_T ViewSize; 26 | PVOID ViewBase; 27 | } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; 28 | 29 | typedef struct _PORT_MESSAGE 30 | { 31 | union 32 | { 33 | struct 34 | { 35 | CSHORT DataLength; 36 | CSHORT TotalLength; 37 | } s1; 38 | ULONG Length; 39 | } u1; 40 | union 41 | { 42 | struct 43 | { 44 | CSHORT Type; 45 | CSHORT DataInfoOffset; 46 | } s2; 47 | ULONG ZeroInit; 48 | } u2; 49 | union 50 | { 51 | CLIENT_ID ClientId; 52 | QUAD DoNotUseThisField; 53 | }; 54 | ULONG MessageId; 55 | union 56 | { 57 | SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages 58 | ULONG CallbackId; // only valid for LPC_REQUEST messages 59 | }; 60 | } PORT_MESSAGE, *PPORT_MESSAGE; 61 | 62 | typedef struct _ALPC_MESSAGE_ATTRIBUTES 63 | { 64 | ULONG AllocatedAttributes; 65 | ULONG ValidAttributes; 66 | } ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; 67 | 68 | // symbols 69 | typedef struct _ALPC_PORT_ATTRIBUTES 70 | { 71 | ULONG Flags; 72 | SECURITY_QUALITY_OF_SERVICE SecurityQos; 73 | SIZE_T MaxMessageLength; 74 | SIZE_T MemoryBandwidth; 75 | SIZE_T MaxPoolUsage; 76 | SIZE_T MaxSectionSize; 77 | SIZE_T MaxViewSize; 78 | SIZE_T MaxTotalSectionSize; 79 | ULONG DupObjectTypes; 80 | #ifdef _M_X64 81 | ULONG Reserved; 82 | #endif 83 | } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; 84 | 85 | NTSYSCALLAPI 86 | NTSTATUS 87 | NTAPI 88 | NtAlpcCreatePort( 89 | __out PHANDLE PortHandle, 90 | __in POBJECT_ATTRIBUTES ObjectAttributes, 91 | __in_opt PALPC_PORT_ATTRIBUTES PortAttributes 92 | ); 93 | 94 | NTSYSAPI 95 | VOID 96 | NTAPI 97 | RtlInitUnicodeString( 98 | _Out_ PUNICODE_STRING DestinationString, 99 | _In_opt_z_ __drv_aliasesMem PCWSTR SourceString 100 | ); 101 | 102 | NTSYSAPI 103 | NTSTATUS 104 | NTAPI 105 | ZwCreateSection( 106 | _Out_ PHANDLE SectionHandle, 107 | _In_ ACCESS_MASK DesiredAccess, 108 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 109 | _In_opt_ PLARGE_INTEGER MaximumSize, 110 | _In_ ULONG SectionPageProtection, 111 | _In_ ULONG AllocationAttributes, 112 | _In_opt_ HANDLE FileHandle 113 | ); 114 | 115 | NTSYSCALLAPI 116 | NTSTATUS 117 | NTAPI 118 | NtAlpcConnectPort( 119 | __out PHANDLE PortHandle, 120 | __in PUNICODE_STRING PortName, 121 | __in POBJECT_ATTRIBUTES ObjectAttributes, 122 | __in_opt PALPC_PORT_ATTRIBUTES PortAttributes, 123 | __in ULONG Flags, 124 | __in_opt PSID RequiredServerSid, 125 | __inout PPORT_MESSAGE ConnectionMessage, 126 | __inout_opt PULONG BufferLength, 127 | __inout_opt PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes, 128 | __inout_opt PALPC_MESSAGE_ATTRIBUTES InMessageAttributes, 129 | __in_opt PLARGE_INTEGER Timeout 130 | ); 131 | 132 | NTSYSCALLAPI 133 | NTSTATUS 134 | NTAPI 135 | NtAlpcAcceptConnectPort( 136 | __out PHANDLE PortHandle, 137 | __in HANDLE ConnectionPortHandle, 138 | __in ULONG Flags, 139 | __in POBJECT_ATTRIBUTES ObjectAttributes, 140 | __in PALPC_PORT_ATTRIBUTES PortAttributes, 141 | __in_opt PVOID PortContext, 142 | __in PPORT_MESSAGE ConnectionRequest, 143 | __inout_opt PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes, 144 | __in BOOLEAN AcceptConnection 145 | ); 146 | 147 | NTSYSCALLAPI 148 | NTSTATUS 149 | NTAPI 150 | NtAlpcSendWaitReceivePort( 151 | __in HANDLE PortHandle, 152 | __in ULONG Flags, 153 | __in_opt PPORT_MESSAGE SendMessage, 154 | __in_opt PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes, 155 | __inout_opt PPORT_MESSAGE ReceiveMessage, 156 | __inout_opt PULONG BufferLength, 157 | __inout_opt PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes, 158 | __in_opt PLARGE_INTEGER Timeout 159 | ); 160 | 161 | NTSYSCALLAPI 162 | NTSTATUS 163 | NTAPI 164 | NtAlpcDisconnectPort( 165 | __in HANDLE PortHandle, 166 | __in ULONG Flags 167 | ); 168 | } 169 | 170 | HANDLE g_DllhPort; 171 | 172 | LPVOID CreateMsgMem( 173 | PPORT_MESSAGE PortMessage, 174 | SIZE_T MessageSize, 175 | LPVOID Message 176 | ) 177 | { 178 | LPVOID lpMem = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, MessageSize + sizeof(PORT_MESSAGE)); 179 | memmove(lpMem, PortMessage, sizeof(PORT_MESSAGE)); 180 | memmove((BYTE*)lpMem + sizeof(PORT_MESSAGE), Message, MessageSize); 181 | return(lpMem); 182 | } 183 | 184 | void HlprAlpcSendMsg(LPVOID Info, const int MsgLen) 185 | { 186 | LPVOID lpMsg; 187 | PORT_MESSAGE pSend; 188 | RtlSecureZeroMemory(&pSend, sizeof(PORT_MESSAGE)); 189 | pSend.u1.s1.DataLength = MsgLen; 190 | pSend.u1.s1.TotalLength = MsgLen + sizeof(PORT_MESSAGE); 191 | lpMsg = CreateMsgMem(&pSend, MsgLen, Info); 192 | if (g_DllhPort > 0 && lpMsg) 193 | { 194 | // error: 0xC0000707 195 | NtAlpcSendWaitReceivePort(g_DllhPort, 0, (PPORT_MESSAGE)lpMsg, 0, NULL, NULL, 0, 0); 196 | HeapFree(GetProcessHeap(), 0, lpMsg); 197 | lpMsg = NULL; 198 | } 199 | } 200 | 201 | DWORD AlpcReadMsgCallback( 202 | LPVOID lpThreadParameter 203 | ) 204 | { 205 | PORT_MESSAGE lpMem; 206 | SIZE_T nLen = 0x500; // MAX Msg Len 207 | NTSTATUS ntRet; 208 | 209 | BOOL bBreak = TRUE; 210 | while (bBreak) 211 | { 212 | RtlSecureZeroMemory(&lpMem, sizeof(PORT_MESSAGE)); 213 | ntRet = NtAlpcSendWaitReceivePort(g_DllhPort, 0, NULL, NULL, (PPORT_MESSAGE)&lpMem, &nLen, NULL, NULL); 214 | if (!ntRet) 215 | { 216 | do 217 | { 218 | UNIVERMSG univermsg = *(UNIVERMSG*)((BYTE*)&lpMem + sizeof(PORT_MESSAGE)); 219 | // HANDLE hEvent = univermsg.Event; 220 | switch (univermsg.ControlId) 221 | { 222 | case ALPC_DRIVER_CONNECTSERVER_RECV: 223 | { 224 | } 225 | default: 226 | break; 227 | } 228 | } while (FALSE); 229 | } 230 | } 231 | return 0; 232 | } 233 | 234 | void AlpcDllStart( 235 | TCHAR *ServerName 236 | ) 237 | { 238 | UNICODE_STRING usPort; 239 | PORT_MESSAGE pmSend; 240 | PORT_MESSAGE pmReceive; 241 | NTSTATUS ntRet; 242 | BOOLEAN bBreak; 243 | SIZE_T nLen; 244 | LPVOID lpMem; 245 | 246 | RtlInitUnicodeString(&usPort, L"\\RPC Control\\CveMonitorPort"); 247 | 248 | /* 249 | WhileSend 250 | */ 251 | MONITORCVEINFO moninfo = { 0, }; 252 | moninfo.univermsg.ControlId = ALPC_DLL_CONNECTSERVER; 253 | moninfo.Pid = GetCurrentProcessId(); 254 | 255 | RtlSecureZeroMemory(&pmSend, sizeof(pmSend)); 256 | pmSend.u1.s1.DataLength = sizeof(MONITORCVEINFO); 257 | pmSend.u1.s1.TotalLength = pmSend.u1.s1.DataLength + sizeof(PORT_MESSAGE); 258 | lpMem = CreateMsgMem(&pmSend, sizeof(MONITORCVEINFO), &moninfo); 259 | ntRet = NtAlpcConnectPort(&g_DllhPort, &usPort, NULL, NULL, 0, 0, (PPORT_MESSAGE)lpMem, NULL, 0, 0, 0); 260 | if(ntRet == 0) 261 | MessageBox(NULL, L"Success Connect Port", L"Inject", MB_OK); 262 | HeapFree(GetProcessHeap(), 0, lpMem); 263 | lpMem = NULL; 264 | nLen = sizeof(PORT_MESSAGE); 265 | RtlSecureZeroMemory(&pmReceive, sizeof(PORT_MESSAGE)); 266 | NtAlpcSendWaitReceivePort(g_DllhPort, 0, (PPORT_MESSAGE)&pmReceive, 0, NULL, NULL, 0, 0); 267 | CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&AlpcReadMsgCallback, NULL, 0, NULL); 268 | return; 269 | } -------------------------------------------------------------------------------- /CveCheck/HlprDllAlpc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #pragma comment(lib,"alpc.lib") 3 | #pragma comment(lib,"ntdll.lib") 4 | #define ALPC_SERVER_PORT L"\\RPC Control\\ServerPort" 5 | 6 | extern "C" 7 | { 8 | // Exec struct 9 | typedef struct _UNIVERMSG 10 | { 11 | ULONG ControlId; // Command function Id 12 | ULONG Event; 13 | }UNIVERMSG, *PUNIVERMSG; 14 | 15 | typedef struct _MONITORCVEINFO 16 | { 17 | UNIVERMSG univermsg; 18 | wchar_t cvename[30]; // CVE Name 19 | int Pid; // Process Pid 20 | }MONITORCVEINFO,*PMONITORCVEINFO; 21 | 22 | enum CommandofCodeID 23 | { 24 | ALPC_DRIVER_DLL_INJECTENABLE = 1, 25 | ALPC_DRIVER_DLL_INJECTDISABLE, 26 | 27 | ALPC_DRIVER_CONNECTSERVER = 10, 28 | ALPC_DRIVER_CONNECTSERVER_RECV, 29 | ALPC_DLL_CONNECTSERVER, 30 | ALPC_DLL_CONNECTSERVER_RECV, 31 | ALPC_UNCONNECTSERVER, 32 | 33 | ALPC_DLL_MONITOR_CVE = 30, 34 | ALPC_DLL_INJECT_SUCCESS, 35 | ALPC_DLL_INJECT_FAILUER 36 | }; 37 | 38 | void AlpcDllStart( 39 | TCHAR *ServerName 40 | ); 41 | 42 | void HlprAlpcSendMsg(LPVOID Info, const int MsgLen); 43 | } 44 | -------------------------------------------------------------------------------- /CveCheck/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "pch.h" 3 | 4 | #include "Cve_2016_0189.h" 5 | #include "HlprDllAlpc.h" 6 | 7 | BOOL APIENTRY DllMain( HMODULE hModule, 8 | DWORD ul_reason_for_call, 9 | LPVOID lpReserved 10 | ) 11 | { 12 | switch (ul_reason_for_call) 13 | { 14 | case DLL_PROCESS_ATTACH: 15 | { 16 | MessageBox(NULL, L"Inject", L"Inject", MB_OK); 17 | // OpenMapping Get ImageBase; 18 | ULONG HookImageBase = 0; 19 | HANDLE ImageBaseHand = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, L"ShareImageBase"); 20 | if (!ImageBaseHand) 21 | break; 22 | PVOID ImageAddr = MapViewOfFile(ImageBaseHand, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0); 23 | 24 | if (!ImageAddr) 25 | break; // or Send alpcMsg Get Mapping ImageBase Failuer; 26 | memcpy(&HookImageBase, ImageAddr, sizeof(ULONG)); 27 | 28 | AlpcDllStart((TCHAR *)"\\RPC Control\\CveMonitorPort"); 29 | 30 | // Init Cve Inject 31 | Cve_2016_0189_CheckTryInstall(HookImageBase); 32 | } 33 | break; 34 | case DLL_THREAD_ATTACH: 35 | case DLL_THREAD_DETACH: 36 | case DLL_PROCESS_DETACH: 37 | break; 38 | } 39 | return TRUE; 40 | } 41 | 42 | -------------------------------------------------------------------------------- /CveCheck/framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 4 | // Windows Header Files 5 | #include 6 | -------------------------------------------------------------------------------- /CveCheck/hook.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | #include "hook.h" 3 | #include 4 | 5 | int HookAnalysTramp( 6 | void* SourceFunc, 7 | UCHAR* tramp 8 | ) 9 | { 10 | /* 11 | Exported entry 147. VariantChangeTypeEx: 12 | 6FC34C28 8B FF mov edi, edi 13 | 6FC34C2A 55 push ebp 14 | 6FC34C2B 8B EC mov ebp, esp 15 | 6FC34C2D 83 EC 30 sub esp, 30h 16 | 6FC34C30 83 7D 08 00 cmp [ebp+pvargDest], 0 17 | 6FC34C34 53 push ebx 18 | 19 | tramp: 20 | 8B FF mov edi, edi 21 | 55 push ebp 22 | 8B EC mov ebp, esp 23 | 83 EC 30 sub esp, 30h 24 | 83 7D 08 00 cmp [ebp+pvargDest], 0 25 | E9 xx xx xx xx jmp 6FC34C34 26 | */ 27 | memcpy(tramp, SourceFunc, 12); 28 | tramp[12] = 0xE9; 29 | // 0xE9 : Currentaddr + offset + 5 = jmpaddr 30 | *(ULONG *)(&tramp[13]) = ((ULONG)SourceFunc + 12) - 5 - ((ULONG)tramp + 12); 31 | return 0; 32 | } 33 | 34 | void *Dll_AllocCode12(void) 35 | { 36 | // 37 | // note that a pool cell is 128 bytes 38 | // 39 | UCHAR *ptr = (UCHAR *)VirtualAlloc(NULL, 20, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 40 | int nError = GetLastError(); 41 | memset(ptr, 0, 20); 42 | if (!ptr) { 43 | 44 | ExitProcess(-1); 45 | } 46 | return ptr; 47 | } 48 | 49 | void *Dll_Hook( 50 | void *SourceFunc, 51 | void *DetourFunc 52 | ) 53 | { 54 | UCHAR *tramp, *func; 55 | ULONG prot, dummy_prot; 56 | ULONG_PTR diff; 57 | ULONG_PTR target; 58 | 59 | if (!SourceFunc) { 60 | return NULL; 61 | } 62 | 63 | //if (*(UCHAR *)SourceFunc == 0xEB) { 64 | // signed char offset = *((signed char *)SourceFunc + 1); 65 | // SourceFunc = (UCHAR *)SourceFunc + offset + 2; 66 | //} 67 | 68 | while (*(UCHAR *)SourceFunc == 0xE9) { 69 | 70 | diff = *(LONG *)((ULONG_PTR)SourceFunc + 1); 71 | target = (ULONG_PTR)SourceFunc + diff + 5; 72 | if (target == (ULONG_PTR)DetourFunc) { 73 | return NULL; 74 | } 75 | 76 | #ifdef _WIN64 77 | 78 | SourceFunc = (void *)target; 79 | 80 | #else ! WIN_64 81 | 82 | func = (UCHAR *)SourceFunc; 83 | diff = (UCHAR *)DetourFunc - (func + 5); 84 | ++func; 85 | if (!VirtualProtect(func, 4, PAGE_EXECUTE_READWRITE, &prot)) { 86 | ULONG err = GetLastError(); 87 | return NULL; 88 | } 89 | *(ULONG *)func = (ULONG)diff; 90 | VirtualProtect(func, 4, prot, &dummy_prot); 91 | 92 | return (void *)target; 93 | 94 | skip_e9_rewrite:; 95 | 96 | #endif _WIN64 97 | 98 | } 99 | 100 | // 101 | // invoke the driver to create a trampoline 102 | // 103 | 104 | tramp = (UCHAR *)Dll_AllocCode12(); 105 | // if data 48:xxxx mov xxx,xxx 106 | if (HookAnalysTramp(SourceFunc, tramp) != 0) { 107 | return NULL; 108 | } 109 | 110 | // 111 | // create the detour 112 | // 113 | 114 | func = (UCHAR *)SourceFunc; 115 | 116 | if (!VirtualProtect(func, 12, PAGE_EXECUTE_READWRITE, &prot)) { 117 | 118 | ULONG err = GetLastError(); 119 | return NULL; 120 | } 121 | UCHAR* jmp = (UCHAR*)malloc(20); 122 | 123 | memset(jmp, 0, 20); 124 | 125 | MessageBox(NULL, L"Hook Nop", L"Inject", MB_OK); 126 | 127 | jmp[0] = 0xE9; 128 | // 因为要拷贝的func,所以相对于func的地址而不是malloc申请的计算 129 | *(ULONG *)(&jmp[1]) = (ULONG)DetourFunc - 5 - (ULONG)func; 130 | 131 | // 先nop再拷贝比较稳妥一些,怕对opcode有其他未知影响,导致代码汇编不正确 132 | memset(func, 0x90, 12); 133 | memcpy(func, jmp, 5); 134 | 135 | VirtualProtect(func, 12, prot, &dummy_prot); 136 | 137 | // the trampoline code begins at trampoline + 16 bytes 138 | func = (UCHAR *)tramp; 139 | return func; 140 | } -------------------------------------------------------------------------------- /CveCheck/hook.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef _MY_HOOK_H 3 | #define _MY_HOOK_H 4 | 5 | void *Dll_Hook( 6 | void *SourceFunc, void *DetourFunc); 7 | 8 | #endif // _MY_HOOK_H 9 | 10 | 11 | -------------------------------------------------------------------------------- /CveCheck/ntbasic.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTBASIC_H 2 | #define _NTBASIC_H 3 | #include 4 | 5 | #ifndef _NTDEF_ 6 | 7 | // This header file provides basic NT types not included in Win32. 8 | 9 | #ifndef NOTHING 10 | #define NOTHING 11 | #endif 12 | 13 | // Basic types 14 | 15 | typedef struct _QUAD 16 | { 17 | double DoNotUseThisField; 18 | } QUAD, *PQUAD, UQUAD, *PUQUAD; 19 | 20 | // This isn't in NT, but it's useful. 21 | typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR 22 | { 23 | ULONG_PTR DoNotUseThisField1; 24 | ULONG_PTR DoNotUseThisField2; 25 | } QUAD_PTR, *PQUAD_PTR, UQUAD_PTR, *PUQUAD_PTR; 26 | 27 | typedef PVOID *PPVOID; 28 | 29 | typedef ULONG LOGICAL; 30 | typedef ULONG *PLOGICAL; 31 | 32 | typedef __success(return >= 0) LONG NTSTATUS; 33 | typedef NTSTATUS *PNTSTATUS; 34 | 35 | // Cardinal types 36 | 37 | typedef char CCHAR; 38 | typedef short CSHORT; 39 | typedef ULONG CLONG; 40 | 41 | typedef CCHAR *PCCHAR; 42 | typedef CSHORT *PCSHORT; 43 | typedef CLONG *PCLONG; 44 | 45 | // Specific 46 | 47 | typedef UCHAR KIRQL, *PKIRQL; 48 | typedef LONG KPRIORITY; 49 | typedef USHORT RTL_ATOM, *PRTL_ATOM; 50 | 51 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; 52 | 53 | // NT status macros 54 | 55 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 56 | #define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1) 57 | #define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2) 58 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) 59 | 60 | #define NT_FACILITY_MASK 0xfff 61 | #define NT_FACILITY_SHIFT 16 62 | #define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK) 63 | 64 | #define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32) 65 | #define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff) 66 | 67 | // Functions 68 | 69 | #ifdef _M_IX86 70 | #define FASTCALL __fastcall 71 | #else 72 | #define FASTCALL 73 | #endif 74 | 75 | // Synchronization enumerations 76 | 77 | typedef enum _EVENT_TYPE 78 | { 79 | NotificationEvent, 80 | SynchronizationEvent 81 | } EVENT_TYPE; 82 | 83 | typedef enum _TIMER_TYPE 84 | { 85 | NotificationTimer, 86 | SynchronizationTimer 87 | } TIMER_TYPE; 88 | 89 | typedef enum _WAIT_TYPE 90 | { 91 | WaitAll, 92 | WaitAny 93 | } WAIT_TYPE; 94 | 95 | // Strings 96 | 97 | typedef struct _STRING 98 | { 99 | USHORT Length; 100 | USHORT MaximumLength; 101 | __field_bcount_part_opt(MaximumLength, Length) PCHAR Buffer; 102 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING; 103 | 104 | typedef const STRING *PCSTRING; 105 | typedef const ANSI_STRING *PCANSI_STRING; 106 | typedef const OEM_STRING *PCOEM_STRING; 107 | 108 | typedef struct _UNICODE_STRING 109 | { 110 | USHORT Length; 111 | USHORT MaximumLength; 112 | __field_bcount_part(MaximumLength, Length) PWCH Buffer; 113 | } UNICODE_STRING, *PUNICODE_STRING; 114 | 115 | typedef const UNICODE_STRING *PCUNICODE_STRING; 116 | 117 | #define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), s } 118 | 119 | // Balanced tree node 120 | 121 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 122 | 123 | typedef struct _RTL_BALANCED_NODE 124 | { 125 | union 126 | { 127 | struct _RTL_BALANCED_NODE *Children[2]; 128 | struct 129 | { 130 | struct _RTL_BALANCED_NODE *Left; 131 | struct _RTL_BALANCED_NODE *Right; 132 | }; 133 | }; 134 | union 135 | { 136 | UCHAR Red : 1; 137 | UCHAR Balance : 2; 138 | ULONG_PTR ParentValue; 139 | }; 140 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; 141 | 142 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK)) 143 | 144 | // Portability 145 | 146 | typedef struct _SINGLE_LIST_ENTRY32 147 | { 148 | ULONG Next; 149 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32; 150 | 151 | typedef struct _STRING32 152 | { 153 | USHORT Length; 154 | USHORT MaximumLength; 155 | ULONG Buffer; 156 | } STRING32, *PSTRING32; 157 | 158 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32; 159 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32; 160 | 161 | typedef struct _STRING64 162 | { 163 | USHORT Length; 164 | USHORT MaximumLength; 165 | ULONGLONG Buffer; 166 | } STRING64, *PSTRING64; 167 | 168 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64; 169 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64; 170 | 171 | // Object attributes 172 | 173 | #define OBJ_INHERIT 0x00000002 174 | #define OBJ_PERMANENT 0x00000010 175 | #define OBJ_EXCLUSIVE 0x00000020 176 | #define OBJ_CASE_INSENSITIVE 0x00000040 177 | #define OBJ_OPENIF 0x00000080 178 | #define OBJ_OPENLINK 0x00000100 179 | #define OBJ_KERNEL_HANDLE 0x00000200 180 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400 181 | #define OBJ_VALID_ATTRIBUTES 0x000007f2 182 | 183 | typedef struct _OBJECT_ATTRIBUTES 184 | { 185 | ULONG Length; 186 | HANDLE RootDirectory; 187 | PUNICODE_STRING ObjectName; 188 | ULONG Attributes; 189 | PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; 190 | PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE 191 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 192 | 193 | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; 194 | 195 | #define InitializeObjectAttributes(p, n, a, r, s) { \ 196 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 197 | (p)->RootDirectory = r; \ 198 | (p)->Attributes = a; \ 199 | (p)->ObjectName = n; \ 200 | (p)->SecurityDescriptor = s; \ 201 | (p)->SecurityQualityOfService = NULL; \ 202 | } 203 | 204 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } 205 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) 206 | 207 | // Portability 208 | 209 | typedef struct _OBJECT_ATTRIBUTES64 210 | { 211 | ULONG Length; 212 | ULONG64 RootDirectory; 213 | ULONG64 ObjectName; 214 | ULONG Attributes; 215 | ULONG64 SecurityDescriptor; 216 | ULONG64 SecurityQualityOfService; 217 | } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64; 218 | 219 | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64; 220 | 221 | typedef struct _OBJECT_ATTRIBUTES32 222 | { 223 | ULONG Length; 224 | ULONG RootDirectory; 225 | ULONG ObjectName; 226 | ULONG Attributes; 227 | ULONG SecurityDescriptor; 228 | ULONG SecurityQualityOfService; 229 | } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32; 230 | 231 | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32; 232 | 233 | // Product types 234 | 235 | typedef enum _NT_PRODUCT_TYPE 236 | { 237 | NtProductWinNt = 1, 238 | NtProductLanManNt, 239 | NtProductServer 240 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; 241 | 242 | typedef enum _SUITE_TYPE 243 | { 244 | SmallBusiness, 245 | Enterprise, 246 | BackOffice, 247 | CommunicationServer, 248 | TerminalServer, 249 | SmallBusinessRestricted, 250 | EmbeddedNT, 251 | DataCenter, 252 | SingleUserTS, 253 | Personal, 254 | Blade, 255 | EmbeddedRestricted, 256 | SecurityAppliance, 257 | StorageServer, 258 | ComputeServer, 259 | WHServer, 260 | PhoneNT, 261 | MaxSuiteType 262 | } SUITE_TYPE; 263 | 264 | // Specific 265 | 266 | typedef struct _CLIENT_ID 267 | { 268 | HANDLE UniqueProcess; 269 | HANDLE UniqueThread; 270 | } CLIENT_ID, *PCLIENT_ID; 271 | 272 | typedef struct _CLIENT_ID32 273 | { 274 | ULONG UniqueProcess; 275 | ULONG UniqueThread; 276 | } CLIENT_ID32, *PCLIENT_ID32; 277 | 278 | typedef struct _CLIENT_ID64 279 | { 280 | ULONGLONG UniqueProcess; 281 | ULONGLONG UniqueThread; 282 | } CLIENT_ID64, *PCLIENT_ID64; 283 | 284 | #include 285 | 286 | typedef struct _KSYSTEM_TIME 287 | { 288 | ULONG LowPart; 289 | LONG High1Time; 290 | LONG High2Time; 291 | } KSYSTEM_TIME, *PKSYSTEM_TIME; 292 | 293 | #include 294 | 295 | #endif 296 | 297 | #endif 298 | -------------------------------------------------------------------------------- /CveCheck/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to the pre-compiled header 2 | 3 | #include "pch.h" 4 | 5 | #include 6 | 7 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed. 8 | -------------------------------------------------------------------------------- /CveCheck/pch.h: -------------------------------------------------------------------------------- 1 | // pch.h: This is a precompiled header file. 2 | // Files listed below are compiled only once, improving build performance for future builds. 3 | // This also affects IntelliSense performance, including code completion and many code browsing features. 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds. 5 | // Do not add files here that you will be updating frequently as this negates the performance advantage. 6 | 7 | #ifndef PCH_H 8 | #define PCH_H 9 | 10 | // add headers that you want to pre-compile here 11 | #include "framework.h" 12 | 13 | #endif //PCH_H 14 | -------------------------------------------------------------------------------- /CveCheckUI/BaseWinDlg.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "InterceptInfoDlg.h" 3 | #include "BaseWinDlg.h" 4 | 5 | #define BUFSIZE 1024 6 | 7 | // Command 8 | HANDLE g_PipServerPortHandle; 9 | 10 | // Exec struct 11 | typedef struct _UNIVERMSG 12 | { 13 | ULONG ControlId; // Command function Id 14 | ULONG Event; // Event 15 | }UNIVERMSG, *PUNIVERMSG; 16 | 17 | typedef struct _MONITORCVEINFO 18 | { 19 | UNIVERMSG univermsg; 20 | wchar_t cvename[30]; // CVE Name 21 | int Pid; // Process Pid 22 | }MONITORCVEINFO, *PMONITORCVEINFO; 23 | 24 | DWORD PipCallBack( 25 | LPVOID lpThreadParameter 26 | ) 27 | { 28 | BaseWinDlg obj = (BaseWinDlg*)lpThreadParameter; 29 | char Databuffer[1024] = { 0 }; 30 | DWORD dwRead = 0; 31 | DWORD dwAvail = 0; 32 | if (g_PipServerPortHandle) 33 | { 34 | do 35 | { 36 | // PeekNamePipe用来预览一个管道中的数据,用来判断管道中是否为空 37 | if (!PeekNamedPipe(g_PipServerPortHandle, NULL, NULL, &dwRead, &dwAvail, NULL) || dwAvail <= 0) 38 | { 39 | break; 40 | } 41 | if (ReadFile(g_PipServerPortHandle, Databuffer, BUFSIZE, &dwRead, NULL)) 42 | { 43 | if (dwRead != 0) 44 | { 45 | // 直接提示处理 --- CveInfo传入 46 | InterceptInfo* pIntereptinfo = new InterceptInfo(); 47 | if (pIntereptinfo == NULL) return 0; 48 | pIntereptinfo->Create(NULL, _T("CveinterceptinfoWin"), UI_WNDSTYLE_FRAME, 0L, 0, 0, 990, 690); 49 | pIntereptinfo->CenterWindow(); 50 | pIntereptinfo->ShowModal(); 51 | } 52 | } 53 | } while (TRUE); 54 | } 55 | return 0; 56 | } 57 | 58 | BaseWinDlg::BaseWinDlg(void) 59 | { 60 | } 61 | 62 | BaseWinDlg::BaseWinDlg(const HANDLE PipHandle) 63 | { 64 | if (PipHandle) 65 | g_PipServerPortHandle = PipHandle; 66 | // Start Monitor ServerMsg 67 | HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)PipCallBack, NULL, 0, NULL); 68 | } 69 | 70 | BaseWinDlg::~BaseWinDlg(void) 71 | { 72 | 73 | } 74 | 75 | DuiLib::CDuiString BaseWinDlg::GetSkinFile() 76 | { 77 | return _T("BaseWinDlg.xml"); 78 | } 79 | 80 | LPCTSTR BaseWinDlg::GetWindowClassName(void) const 81 | { 82 | return _T("BaseWinDlg"); 83 | } 84 | 85 | void BaseWinDlg::InitWindow() 86 | { 87 | } 88 | 89 | void BaseWinDlg::Notify(TNotifyUI &msg) 90 | { 91 | CDuiString name = msg.pSender->GetName(); 92 | 93 | // Buttion handle: Page switching 94 | if (msg.sType == _T("selectchanged")) 95 | { 96 | CTabLayoutUI* pTabSwitch = static_cast(m_pm.FindControl(_T("base_tab_switch"))); 97 | if (name.CompareNoCase(_T("VulnerabilityDefenseButton")) == 0) 98 | pTabSwitch->SelectItem(0); 99 | 100 | // Firewall_tab_pane1 101 | if (name.CompareNoCase(_T("FileStaticScanButton")) == 0) 102 | pTabSwitch->SelectItem(1); 103 | } 104 | return WindowImplBase::Notify(msg); 105 | } 106 | 107 | /* 108 | @ public WinBase 109 | Hnadle Button Msg 110 | */ 111 | void BaseWinDlg::OnClick(TNotifyUI &msg) 112 | { 113 | CDuiString sCtrlName = msg.pSender->GetName(); 114 | // Button Switch Start: WinDlg 115 | if (sCtrlName == _T("closebtn")) 116 | { 117 | this->Close(); 118 | return; 119 | } 120 | else if (sCtrlName == _T("minbtn")) 121 | { 122 | SendMessage(WM_SYSCOMMAND, SC_MINIMIZE, 0); 123 | return; 124 | } 125 | else if (sCtrlName == _T("restorebtn")) 126 | { 127 | SendMessage(WM_SYSCOMMAND, SC_RESTORE, 0); 128 | return; 129 | } 130 | } -------------------------------------------------------------------------------- /CveCheckUI/BaseWinDlg.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | class BaseWinDlg : public WindowImplBase 3 | { 4 | public: 5 | BaseWinDlg(); 6 | BaseWinDlg(const HANDLE PipHandle); 7 | ~BaseWinDlg(); 8 | 9 | public: 10 | virtual CDuiString GetSkinFile(); 11 | virtual LPCTSTR GetWindowClassName(void) const; 12 | virtual void Notify(TNotifyUI &msg); 13 | virtual LRESULT OnClose(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& bHandled) 14 | { 15 | PostQuitMessage(0); 16 | return 0; 17 | } 18 | // onclik 19 | virtual void OnClick(TNotifyUI& msg); 20 | void InitWindow(); 21 | }; 22 | 23 | -------------------------------------------------------------------------------- /CveCheckUI/CveCheckUI.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheckUI/CveCheckUI.ico -------------------------------------------------------------------------------- /CveCheckUI/CveCheckUI.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheckUI/CveCheckUI.rc -------------------------------------------------------------------------------- /CveCheckUI/CveCheckUI.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {85AE5F07-41F7-4C46-AB5A-F1901C86EF14} 24 | Win32Proj 25 | CveCheckUI 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | Unicode 34 | false 35 | 36 | 37 | Application 38 | false 39 | v141 40 | true 41 | Unicode 42 | 43 | 44 | Application 45 | true 46 | v141 47 | Unicode 48 | 49 | 50 | Application 51 | false 52 | v141 53 | true 54 | Unicode 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | $(SolutionDir)bin\ 77 | $(SolutionDir)temp\CveCheckUI\$(Configuration)\ 78 | $(ProjectName)_d 79 | 80 | 81 | true 82 | 83 | 84 | false 85 | 86 | 87 | false 88 | 89 | 90 | 91 | Use 92 | Level3 93 | Disabled 94 | WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 95 | false 96 | ProgramDatabase 97 | true 98 | MultiThreadedDebug 99 | true 100 | 101 | 102 | Windows 103 | true 104 | 105 | 106 | 107 | 108 | 109 | 110 | Level3 111 | Disabled 112 | true 113 | _DEBUG;_WINDOWS;%(PreprocessorDefinitions) 114 | true 115 | 116 | 117 | Windows 118 | true 119 | 120 | 121 | 122 | 123 | 124 | 125 | Level3 126 | MaxSpeed 127 | true 128 | true 129 | true 130 | WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 131 | true 132 | 133 | 134 | Windows 135 | true 136 | true 137 | true 138 | 139 | 140 | 141 | 142 | 143 | 144 | Level3 145 | MaxSpeed 146 | true 147 | true 148 | true 149 | NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 150 | true 151 | 152 | 153 | Windows 154 | true 155 | true 156 | true 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | Create 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | -------------------------------------------------------------------------------- /CveCheckUI/CveCheckUI.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {024492ab-3346-430c-97bd-d7fed2b8f6e4} 18 | 19 | 20 | {06788836-cb7e-4151-aedc-f56ebcbc996b} 21 | 22 | 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | BaseWin 35 | 36 | 37 | Header Files 38 | 39 | 40 | InterceptInfoDlg 41 | 42 | 43 | 44 | 45 | Resource Files 46 | 47 | 48 | 49 | 50 | Resource Files 51 | 52 | 53 | Resource Files 54 | 55 | 56 | 57 | 58 | Source Files 59 | 60 | 61 | Source Files 62 | 63 | 64 | BaseWin 65 | 66 | 67 | InterceptInfoDlg 68 | 69 | 70 | 71 | 72 | BaseWin 73 | 74 | 75 | InterceptInfoDlg 76 | 77 | 78 | -------------------------------------------------------------------------------- /CveCheckUI/CveCheckUI.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /CveCheckUI/InterceptInfoDlg.cpp: -------------------------------------------------------------------------------- 1 | #include "StdAfx.h" 2 | #include "InterceptInfoDlg.h" 3 | 4 | 5 | InterceptInfo::InterceptInfo() 6 | { 7 | 8 | } 9 | 10 | InterceptInfo::~InterceptInfo() 11 | { 12 | 13 | } 14 | 15 | void InterceptInfo::InitWindow() 16 | { 17 | } 18 | 19 | void InterceptInfo::Notify(TNotifyUI &msg) 20 | { 21 | CDuiString name = msg.pSender->GetName(); 22 | 23 | // Buttion handle: Page switching 24 | if (msg.sType == _T("selectchanged")) 25 | { 26 | CTabLayoutUI* pTabSwitch = static_cast(m_pm.FindControl(_T("base_tab_switch"))); 27 | if (name.CompareNoCase(_T("VulnerabilityDefenseButton")) == 0) 28 | pTabSwitch->SelectItem(0); 29 | 30 | // Firewall_tab_pane1 31 | if (name.CompareNoCase(_T("FileStaticScanButton")) == 0) 32 | pTabSwitch->SelectItem(1); 33 | } 34 | return WindowImplBase::Notify(msg); 35 | } 36 | 37 | DuiLib::CDuiString InterceptInfo::GetSkinFile() 38 | { 39 | return _T("InterceptInfoDlg.xml"); 40 | } 41 | 42 | LPCTSTR InterceptInfo::GetWindowClassName(void) const 43 | { 44 | return _T("InterceptInfoDlg"); 45 | } 46 | 47 | -------------------------------------------------------------------------------- /CveCheckUI/InterceptInfoDlg.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | class InterceptInfo : public WindowImplBase 4 | { 5 | public: 6 | InterceptInfo(); 7 | ~InterceptInfo(); 8 | 9 | public: 10 | virtual CDuiString GetSkinFile(); 11 | virtual LPCTSTR GetWindowClassName(void) const; 12 | virtual void Notify(TNotifyUI &msg); 13 | virtual LRESULT OnClose(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& bHandled) 14 | { 15 | PostQuitMessage(0); 16 | return 0; 17 | } 18 | // onclik 19 | // virtual void OnClick(TNotifyUI& msg); 20 | void InitWindow(); 21 | }; -------------------------------------------------------------------------------- /CveCheckUI/Main.cpp: -------------------------------------------------------------------------------- 1 | // MimiSecUI.cpp : Defines the entry point for the application. 2 | // 3 | #include "StdAfx.h" 4 | #include "framework.h" 5 | #include "Resource.h" 6 | // #include "InterceptInfoDlg.h" 7 | #include "BaseWinDlg.h" 8 | 9 | #define MAX_LOADSTRING 100 10 | /* 11 | @InitResource Load 12 | */ 13 | void InitResource() 14 | { 15 | #ifdef _DEBUG 16 | CPaintManagerUI::SetResourceType(UILIB_FILE); 17 | #else 18 | CPaintManagerUI::SetResourceType(UILIB_ZIPRESOURCE); 19 | #endif 20 | CDuiString strResourcePath = CPaintManagerUI::GetInstancePath(); 21 | switch (CPaintManagerUI::GetResourceType()) 22 | { 23 | case UILIB_FILE: 24 | { 25 | strResourcePath += _T("skin\\cvemodule\\"); 26 | CPaintManagerUI::SetResourcePath(strResourcePath.GetData()); 27 | CResourceManager::GetInstance()->LoadResource(_T("res.xml"), NULL); 28 | break; 29 | } 30 | case UILIB_RESOURCE: 31 | { 32 | strResourcePath += _T("skin\\cvemodule\\"); 33 | CPaintManagerUI::SetResourcePath(strResourcePath.GetData()); 34 | CResourceManager::GetInstance()->LoadResource(_T("IDR_RES"), _T("xml")); 35 | break; 36 | } 37 | case UILIB_ZIP: 38 | { 39 | strResourcePath += _T("skin\\"); 40 | CPaintManagerUI::SetResourcePath(strResourcePath.GetData()); 41 | CPaintManagerUI::SetResourceZip(_T("cvemodule.zip"), true); 42 | CResourceManager::GetInstance()->LoadResource(_T("res.xml"), NULL); 43 | break; 44 | } 45 | case UILIB_ZIPRESOURCE: 46 | { 47 | strResourcePath += _T("skin\\cvemodule\\"); 48 | CPaintManagerUI::SetResourcePath(strResourcePath.GetData()); 49 | 50 | HRSRC hResource = ::FindResource(CPaintManagerUI::GetResourceDll(), _T("IDR_ZIPRES"), _T("ZIPRES")); 51 | if (hResource != NULL) { 52 | DWORD dwSize = 0; 53 | HGLOBAL hGlobal = ::LoadResource(CPaintManagerUI::GetResourceDll(), hResource); 54 | if (hGlobal != NULL) { 55 | dwSize = ::SizeofResource(CPaintManagerUI::GetResourceDll(), hResource); 56 | if (dwSize > 0) { 57 | CPaintManagerUI::SetResourceZip((LPBYTE)::LockResource(hGlobal), dwSize); 58 | CResourceManager::GetInstance()->LoadResource(_T("res.xml"), NULL); 59 | } 60 | } 61 | ::FreeResource(hResource); 62 | } 63 | } 64 | break; 65 | } 66 | } 67 | 68 | /* 69 | @Main Entry 70 | Load Log View Dlg && Load Base Win 71 | */ 72 | int APIENTRY wWinMain(_In_ HINSTANCE hInstance, 73 | _In_opt_ HINSTANCE hPrevInstance, 74 | _In_ LPWSTR lpCmdLine, 75 | _In_ int nCmdShow) 76 | { 77 | UNREFERENCED_PARAMETER(hPrevInstance); 78 | UNREFERENCED_PARAMETER(lpCmdLine); 79 | 80 | // 1. Init Resource 81 | HRESULT Hr = ::CoInitialize(NULL); 82 | if (FAILED(Hr)) return 0; 83 | CPaintManagerUI::SetInstance(hInstance); 84 | InitResource(); 85 | 86 | // 2. Init Pip 87 | if (WaitNamedPipe(L"\\\\.\\Pipe\\uiport", NMPWAIT_WAIT_FOREVER) == false) { 88 | // return 0; 89 | } 90 | 91 | HANDLE hPipe = CreateFile(L"\\\\.\\Pipe\\uiport", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 92 | //if (hPipe == INVALID_HANDLE_VALUE) 93 | // return 0; 94 | 95 | BaseWinDlg* pBaseWinobj = new BaseWinDlg(hPipe); 96 | if (pBaseWinobj == NULL) return 0; 97 | pBaseWinobj->Create(NULL, _T("CveWin"), UI_WNDSTYLE_FRAME, 0L, 0, 0, 990, 690); 98 | pBaseWinobj->CenterWindow(); 99 | pBaseWinobj->ShowModal(); 100 | 101 | CPaintManagerUI::MessageLoop(); 102 | 103 | return 0; 104 | } 105 | -------------------------------------------------------------------------------- /CveCheckUI/Resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by CveCheckUI.rc 4 | 5 | #define IDS_APP_TITLE 103 6 | 7 | #define IDR_MAINFRAME 128 8 | #define IDD_CVECHECKUI_DIALOG 102 9 | #define IDD_ABOUTBOX 103 10 | #define IDM_ABOUT 104 11 | #define IDM_EXIT 105 12 | #define IDI_CVECHECKUI 107 13 | #define IDI_SMALL 108 14 | #define IDC_CVECHECKUI 109 15 | #define IDC_MYICON 2 16 | #ifndef IDC_STATIC 17 | #define IDC_STATIC -1 18 | #endif 19 | // Next default values for new objects 20 | // 21 | #ifdef APSTUDIO_INVOKED 22 | #ifndef APSTUDIO_READONLY_SYMBOLS 23 | 24 | #define _APS_NO_MFC 130 25 | #define _APS_NEXT_RESOURCE_VALUE 129 26 | #define _APS_NEXT_COMMAND_VALUE 32771 27 | #define _APS_NEXT_CONTROL_VALUE 1000 28 | #define _APS_NEXT_SYMED_VALUE 110 29 | #endif 30 | #endif 31 | -------------------------------------------------------------------------------- /CveCheckUI/StdAfx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // App.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "StdAfx.h" 6 | 7 | #if defined _M_IX86 8 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"") 9 | #elif defined _M_IA64 10 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='ia64' publicKeyToken='6595b64144ccf1df' language='*'\"") 11 | #elif defined _M_X64 12 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='amd64' publicKeyToken='6595b64144ccf1df' language='*'\"") 13 | #else 14 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"") 15 | #endif 16 | -------------------------------------------------------------------------------- /CveCheckUI/StdAfx.h: -------------------------------------------------------------------------------- 1 | 2 | #if !defined(AFX_STDAFX_H__A9DB83DB_A9FD_11D0_BFD1_444553540000__INCLUDED_) 3 | #define AFX_STDAFX_H__A9DB83DB_A9FD_11D0_BFD1_444553540000__INCLUDED_ 4 | 5 | #pragma once 6 | 7 | #define WIN32_LEAN_AND_MEAN 8 | #define _CRT_SECURE_NO_DEPRECATE 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include "..\DuiLib\UIlib.h" 15 | 16 | using namespace DuiLib; 17 | 18 | #ifdef _DEBUG 19 | # ifdef _UNICODE 20 | # pragma comment(lib, "..\\lib\\DuiLib_d.lib") 21 | # else 22 | # pragma comment(lib, "..\\lib\\DuiLibA_d.lib") 23 | # endif 24 | #else 25 | # ifdef _UNICODE 26 | # pragma comment(lib, "..\\lib\\DuiLib.lib") 27 | # else 28 | # pragma comment(lib, "..\\lib\\DuiLibA.lib") 29 | # endif 30 | #endif 31 | 32 | //{{AFX_INSERT_LOCATION}} 33 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line. 34 | 35 | #endif // !defined(AFX_STDAFX_H__A9DB83DB_A9FD_11D0_BFD1_444553540000__INCLUDED_) 36 | -------------------------------------------------------------------------------- /CveCheckUI/framework.h: -------------------------------------------------------------------------------- 1 | // header.h : include file for standard system include files, 2 | // or project specific include files 3 | // 4 | 5 | #pragma once 6 | 7 | #include "targetver.h" 8 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 9 | // Windows Header Files 10 | #include 11 | // C RunTime Header Files 12 | #include 13 | #include 14 | #include 15 | #include 16 | -------------------------------------------------------------------------------- /CveCheckUI/small.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveCheckUI/small.ico -------------------------------------------------------------------------------- /CveCheckUI/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // // Including SDKDDKVer.h defines the highest available Windows platform. 4 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 5 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 6 | #include 7 | -------------------------------------------------------------------------------- /CveServer/CveServer.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 15.0 35 | {F99166BB-FEF1-48A4-A273-BE2E391598E9} 36 | Win32Proj 37 | CveServer 38 | 10.0.17763.0 39 | 40 | 41 | 42 | Application 43 | true 44 | v141 45 | Unicode 46 | false 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | Unicode 54 | false 55 | 56 | 57 | Application 58 | true 59 | v141 60 | Unicode 61 | 62 | 63 | Application 64 | false 65 | v141 66 | true 67 | Unicode 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | true 89 | $(VC_LibraryPath_x86);$(WindowsSDK_LibraryPath_x86);$(NETFXKitsDir)Lib\um\x86 90 | ..\bin\$(Platform)\ 91 | 92 | 93 | true 94 | 95 | 96 | false 97 | 98 | 99 | false 100 | 101 | 102 | 103 | 104 | 105 | Level3 106 | Disabled 107 | false 108 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 109 | false 110 | MultiThreadedDebug 111 | 112 | 113 | Console 114 | true 115 | kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 116 | ..\lib\$(platform)\;%(AdditionalLibraryDirectories) 117 | RequireAdministrator 118 | 119 | 120 | 121 | 122 | 123 | 124 | Level3 125 | Disabled 126 | true 127 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 128 | true 129 | 130 | 131 | Console 132 | true 133 | 134 | 135 | 136 | 137 | 138 | 139 | Level3 140 | MaxSpeed 141 | true 142 | true 143 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 144 | true 145 | MultiThreadedDebug 146 | 147 | 148 | Console 149 | true 150 | true 151 | true 152 | ..\lib\$(platform)\;%(AdditionalLibraryDirectories) 153 | 154 | 155 | 156 | 157 | 158 | 159 | Level3 160 | MaxSpeed 161 | true 162 | true 163 | true 164 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 165 | true 166 | 167 | 168 | Console 169 | true 170 | true 171 | true 172 | 173 | 174 | 175 | 176 | 177 | -------------------------------------------------------------------------------- /CveServer/CveServer.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 10 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 11 | 12 | 13 | {0642eb13-87fe-4e34-bb43-e2736be3a246} 14 | 15 | 16 | {28875359-c107-4b33-9d99-8fd451865003} 17 | 18 | 19 | {83cf6352-a5d7-4de1-b7d1-2b53b97ba516} 20 | 21 | 22 | 23 | 24 | HlprServerAlpc 25 | 26 | 27 | Source Files 28 | 29 | 30 | HlprServerPip 31 | 32 | 33 | InjectDLL 34 | 35 | 36 | 37 | 38 | InjectDLL 39 | 40 | 41 | HlprServerAlpc 42 | 43 | 44 | HlprServerPip 45 | 46 | 47 | Source Files 48 | 49 | 50 | -------------------------------------------------------------------------------- /CveServer/CveServer.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | WindowsRemoteDebugger 5 | 6 | -------------------------------------------------------------------------------- /CveServer/CveServerMain.cpp: -------------------------------------------------------------------------------- 1 | // CveServer.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include 5 | #include 6 | 7 | //#pragma comment(lib,"alpc.lib 8 | #include "HlprServerAlpc.h" 9 | 10 | // Master Thread No-Exit 11 | void wait() 12 | { 13 | MSG msg; 14 | while (GetMessage(&msg, NULL, 0, 0)) 15 | { 16 | TranslateMessage(&msg); 17 | DispatchMessage(&msg); 18 | } 19 | } 20 | 21 | void PipServerCallback( 22 | wchar_t* PortName 23 | ) 24 | { 25 | 26 | } 27 | 28 | int main() 29 | /* 30 | 31 | Enable Thread wait Client Connect 32 | Driver: Recv Msg Inject Process(dll) <--> block 33 | Dll: Recv Monitor info <--> block 34 | */ 35 | { 36 | getchar(); 37 | 38 | HANDLE hDllPortHandle, hDriverPortHandle; 39 | WCHAR CveDriverPortName[] = L"\\RPC Control\\CveDriverPort"; 40 | WCHAR CveMonitorPortName[] = L"\\RPC Control\\CveMonitorPort"; 41 | // remote debug breakpointer 42 | 43 | InitEvent(); 44 | 45 | // PipServer 46 | CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&PipServerCallback, NULL, 0, NULL); 47 | // Driver ALPC Services Port 48 | hDriverPortHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&AlpcPortStart, (LPVOID)CveDriverPortName, 0, NULL); 49 | // DLL Monitor ALPC Services Port 50 | hDllPortHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&AlpcPortStart, (LPVOID)CveMonitorPortName, 0, NULL); 51 | 52 | // wait(); 53 | WaitForSingleObject(hDriverPortHandle, INFINITE); 54 | 55 | return 0; 56 | } -------------------------------------------------------------------------------- /CveServer/Debug/CveServer.log: -------------------------------------------------------------------------------- 1 |  CveServerMain.cpp 2 | HlprServerAlpc.cpp 3 | f:\exp\cveserver\hlprserveralpc.cpp(339): warning C4101: 'bTemp': unreferenced local variable 4 | HlprServerPip.cpp 5 | InjectMonProcessTest.cpp 6 | Generating Code... 7 | CveServer.vcxproj -> F:\Exp\CveServer\..\bin\Win32\CveServer.exe 8 | -------------------------------------------------------------------------------- /CveServer/Debug/CveServer.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/CveServer.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /CveServer/Debug/CveServer.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/CveServer.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /CveServer/Debug/CveServer.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/CveServer.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /CveServer/Debug/CveServer.tlog/CveServer.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 2 | Debug|Win32|F:\Exp\| 3 | -------------------------------------------------------------------------------- /CveServer/Debug/CveServer.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/CveServer.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /CveServer/Debug/CveServer.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/CveServer.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /CveServer/Debug/CveServer.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/CveServer.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /CveServer/Debug/CveServerMain.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/CveServerMain.obj -------------------------------------------------------------------------------- /CveServer/Debug/HlprServerAlpc.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/HlprServerAlpc.obj -------------------------------------------------------------------------------- /CveServer/Debug/HlprServerPip.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/HlprServerPip.obj -------------------------------------------------------------------------------- /CveServer/Debug/InjectMonProcessTest.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/InjectMonProcessTest.obj -------------------------------------------------------------------------------- /CveServer/Debug/vc141.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/vc141.idb -------------------------------------------------------------------------------- /CveServer/Debug/vc141.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Debug/vc141.pdb -------------------------------------------------------------------------------- /CveServer/HlprServerAlpc.cpp: -------------------------------------------------------------------------------- 1 | #include "ntbasic.h" 2 | #include "HlprServerPip.h" 3 | #include "HlprServerAlpc.h" 4 | #include "InjectMonProcess.h" 5 | #include 6 | #include 7 | 8 | using namespace std; 9 | 10 | // HlprServerPip pipsrvobj; 11 | 12 | // 负责保存进程pid, 防止注入多次 13 | vector PidVec; 14 | 15 | 16 | /************************************************************************* 17 | lnk lib extern 18 | *************************************************************************/ 19 | extern "C" 20 | { 21 | typedef struct _PORT_VIEW 22 | { 23 | ULONG Length; 24 | HANDLE SectionHandle; 25 | ULONG SectionOffset; 26 | SIZE_T ViewSize; 27 | PVOID ViewBase; 28 | PVOID ViewRemoteBase; 29 | } PORT_VIEW, *PPORT_VIEW; 30 | 31 | typedef struct _REMOTE_PORT_VIEW 32 | { 33 | ULONG Length; 34 | SIZE_T ViewSize; 35 | PVOID ViewBase; 36 | } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; 37 | 38 | typedef struct _PORT_MESSAGE 39 | { 40 | union 41 | { 42 | struct 43 | { 44 | CSHORT DataLength; 45 | CSHORT TotalLength; 46 | } s1; 47 | ULONG Length; 48 | } u1; 49 | union 50 | { 51 | struct 52 | { 53 | CSHORT Type; 54 | CSHORT DataInfoOffset; 55 | } s2; 56 | ULONG ZeroInit; 57 | } u2; 58 | union 59 | { 60 | CLIENT_ID ClientId; 61 | QUAD DoNotUseThisField; 62 | }; 63 | ULONG MessageId; 64 | union 65 | { 66 | SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages 67 | ULONG CallbackId; // only valid for LPC_REQUEST messages 68 | }; 69 | } PORT_MESSAGE, *PPORT_MESSAGE; 70 | 71 | typedef struct _ALPC_MESSAGE_ATTRIBUTES 72 | { 73 | ULONG AllocatedAttributes; 74 | ULONG ValidAttributes; 75 | } ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; 76 | 77 | // symbols 78 | typedef struct _ALPC_PORT_ATTRIBUTES 79 | { 80 | ULONG Flags; 81 | SECURITY_QUALITY_OF_SERVICE SecurityQos; 82 | SIZE_T MaxMessageLength; 83 | SIZE_T MemoryBandwidth; 84 | SIZE_T MaxPoolUsage; 85 | SIZE_T MaxSectionSize; 86 | SIZE_T MaxViewSize; 87 | SIZE_T MaxTotalSectionSize; 88 | ULONG DupObjectTypes; 89 | #ifdef _M_X64 90 | ULONG Reserved; 91 | #endif 92 | } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; 93 | 94 | NTSYSCALLAPI 95 | NTSTATUS 96 | NTAPI 97 | NtAlpcCreatePort( 98 | __out PHANDLE PortHandle, 99 | __in POBJECT_ATTRIBUTES ObjectAttributes, 100 | __in_opt PALPC_PORT_ATTRIBUTES PortAttributes 101 | ); 102 | 103 | NTSYSAPI 104 | VOID 105 | NTAPI 106 | RtlInitUnicodeString( 107 | _Out_ PUNICODE_STRING DestinationString, 108 | _In_opt_z_ __drv_aliasesMem PCWSTR SourceString 109 | ); 110 | 111 | NTSYSAPI 112 | NTSTATUS 113 | NTAPI 114 | ZwCreateSection( 115 | _Out_ PHANDLE SectionHandle, 116 | _In_ ACCESS_MASK DesiredAccess, 117 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 118 | _In_opt_ PLARGE_INTEGER MaximumSize, 119 | _In_ ULONG SectionPageProtection, 120 | _In_ ULONG AllocationAttributes, 121 | _In_opt_ HANDLE FileHandle 122 | ); 123 | 124 | NTSYSCALLAPI 125 | NTSTATUS 126 | NTAPI 127 | NtAlpcConnectPort( 128 | __out PHANDLE PortHandle, 129 | __in PUNICODE_STRING PortName, 130 | __in POBJECT_ATTRIBUTES ObjectAttributes, 131 | __in_opt PALPC_PORT_ATTRIBUTES PortAttributes, 132 | __in ULONG Flags, 133 | __in_opt PSID RequiredServerSid, 134 | __inout PPORT_MESSAGE ConnectionMessage, 135 | __inout_opt PULONG BufferLength, 136 | __inout_opt PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes, 137 | __inout_opt PALPC_MESSAGE_ATTRIBUTES InMessageAttributes, 138 | __in_opt PLARGE_INTEGER Timeout 139 | ); 140 | 141 | NTSYSCALLAPI 142 | NTSTATUS 143 | NTAPI 144 | NtAlpcAcceptConnectPort( 145 | __out PHANDLE PortHandle, 146 | __in HANDLE ConnectionPortHandle, 147 | __in ULONG Flags, 148 | __in POBJECT_ATTRIBUTES ObjectAttributes, 149 | __in PALPC_PORT_ATTRIBUTES PortAttributes, 150 | __in_opt PVOID PortContext, 151 | __in PPORT_MESSAGE ConnectionRequest, 152 | __inout_opt PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes, 153 | __in BOOLEAN AcceptConnection 154 | ); 155 | 156 | NTSYSCALLAPI 157 | NTSTATUS 158 | NTAPI 159 | NtAlpcSendWaitReceivePort( 160 | __in HANDLE PortHandle, 161 | __in ULONG Flags, 162 | __in_opt PPORT_MESSAGE SendMessage, 163 | __in_opt PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes, 164 | __inout_opt PPORT_MESSAGE ReceiveMessage, 165 | __inout_opt PULONG BufferLength, 166 | __inout_opt PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes, 167 | __in_opt PLARGE_INTEGER Timeout 168 | ); 169 | 170 | NTSYSCALLAPI 171 | NTSTATUS 172 | NTAPI 173 | NtReplyWaitReceivePort( 174 | __in HANDLE PortHandle, 175 | __out_opt PVOID *PortContext, 176 | __in_opt PPORT_MESSAGE ReplyMessage, 177 | __out PPORT_MESSAGE ReceiveMessage 178 | ); 179 | 180 | NTSYSCALLAPI 181 | NTSTATUS 182 | NTAPI 183 | NtAlpcDisconnectPort( 184 | __in HANDLE PortHandle, 185 | __in ULONG Flags 186 | ); 187 | } 188 | 189 | /************************************************************************* 190 | function handle Code 191 | *************************************************************************/ 192 | enum CommandofCodeID 193 | { 194 | ALPC_DRIVER_DLL_INJECTENABLE = 1, 195 | ALPC_DRIVER_DLL_INJECTDISABLE, 196 | 197 | ALPC_DRIVER_CONNECTSERVER = 10, 198 | ALPC_DRIVER_CONNECTSERVER_RECV, 199 | ALPC_DLL_CONNECTSERVER, 200 | ALPC_DLL_CONNECTSERVER_RECV, 201 | ALPC_UNCONNECTSERVER, 202 | 203 | ALPC_DLL_MONITOR_CVE = 30, 204 | ALPC_DLL_INJECT_SUCCESS, 205 | ALPC_DLL_INJECT_FAILUER 206 | }; 207 | 208 | // 事件句柄 209 | HANDLE Injecteventhandle; // 驱动注入请求 210 | HANDLE Monitoreventhandle; // DLL监控处理请求 211 | 212 | LPVOID CreateMsgMem( 213 | PPORT_MESSAGE PortMessage, 214 | SIZE_T MessageSize, 215 | LPVOID Message 216 | ) 217 | { 218 | LPVOID lpMem = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, MessageSize + sizeof(PORT_MESSAGE)); 219 | memmove(lpMem, PortMessage, sizeof(PORT_MESSAGE)); 220 | memmove((BYTE*)lpMem + sizeof(PORT_MESSAGE), Message, MessageSize); 221 | return(lpMem); 222 | } 223 | 224 | /* 225 | @private: 226 | 负责处理客户端请求 - 双向消息处理 227 | */ 228 | void DispatchMsgHandle( 229 | const LPVOID lpMem, 230 | HANDLE* SendtoPort, 231 | const int msgid 232 | ) 233 | { 234 | // Analysis universMsg 235 | UNIVERMSG* Msg = (UNIVERMSG*)((BYTE*)lpMem + sizeof(PORT_MESSAGE)); 236 | 237 | if (!Msg && !SendtoPort) 238 | return; 239 | 240 | // Get DLL or Driver Msg 241 | switch (Msg->ControlId) 242 | { 243 | case ALPC_DRIVER_DLL_INJECTENABLE: 244 | { 245 | DIRVER_INJECT_DLL* InjectDllInject = (DIRVER_INJECT_DLL*)((BYTE*)lpMem + sizeof(PORT_MESSAGE)); 246 | 247 | // 保证只注入一次 248 | int nCount = std::count(PidVec.begin(), PidVec.end(), InjectDllInject->Pids); 249 | if (nCount > 0) 250 | { 251 | return; 252 | } 253 | PidVec.push_back(InjectDllInject->Pids); 254 | 255 | if (InjectDllInject) 256 | { 257 | // 258 | // Create Share Memory 259 | // 260 | HANDLE BaseSharedMapFile = CreateFileMappingA(NULL, NULL, PAGE_READWRITE, 0, 100, "ShareImageBase"); 261 | LPVOID ImageBaseaddr = MapViewOfFile(BaseSharedMapFile, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0); 262 | UNIVERMSG univermsg = { 0, }; 263 | if (ImageBaseaddr) 264 | { 265 | memcpy(ImageBaseaddr, &InjectDllInject->ImageBase, sizeof(ULONG)); 266 | univermsg.ControlId = ALPC_DLL_INJECT_SUCCESS; 267 | } 268 | else 269 | // log 270 | univermsg.ControlId = ALPC_DLL_INJECT_FAILUER; 271 | 272 | // Inject Dll 273 | // wchar_t MonitorDLLPath[] = L"CveCheck.dll"; 274 | // BOOL nStatus = InjectDLLStart(MonitorDLLPath, InjectDllInject->Pids); 275 | // 276 | // Succeess or Faulier && Send to DriverMsg InjectOK! 277 | // 然后发送成功或者失败,告知r3注入过程完成激活事件,加载模块回调正常运行。 278 | // 279 | AlpcSendtoClientMsg(*SendtoPort, &univermsg, msgid); 280 | } 281 | } 282 | break; 283 | case ALPC_DRIVER_DLL_INJECTDISABLE: 284 | { 285 | } 286 | break; 287 | case ALPC_UNCONNECTSERVER: 288 | { 289 | } 290 | break; 291 | case ALPC_DLL_MONITOR_CVE: 292 | /*++ 293 | 通知UI需要处理命中事件,等待UI返回 294 | --*/ 295 | { 296 | MONITORCVEINFO* MonCveInfo = (MONITORCVEINFO*)((BYTE*)lpMem + sizeof(PORT_MESSAGE)); 297 | //if (!pipsrvobj) 298 | // break; 299 | // pipsrvobj.PipSendMsg((wchar_t*)MonCveInfo, sizeof(MONITORCVEINFO)); 300 | // 301 | // Wait UI recv 302 | // if perimnt 303 | // 304 | if (1) 305 | { 306 | HANDLE evt = OpenEvent(EVENT_ALL_ACCESS, FALSE, L"CVE-2016-0819"); 307 | if (evt) 308 | { 309 | SetEvent(evt); 310 | } 311 | } 312 | } 313 | break; 314 | default: 315 | break; 316 | } 317 | } 318 | 319 | /* 320 | @public: 321 | 负责创建ALPC服务 322 | 负责DispatchMsgHandle分发客户端请求 323 | */ 324 | void AlpcPortStart( 325 | wchar_t* PortName 326 | ) 327 | { 328 | ALPC_PORT_ATTRIBUTES serverPortAttr; 329 | OBJECT_ATTRIBUTES objPort; 330 | UNICODE_STRING usPortName; 331 | PORT_MESSAGE pmRequest; 332 | PORT_MESSAGE pmReceive; 333 | NTSTATUS ntRet; 334 | BOOLEAN bBreak; 335 | HANDLE hConnectedPort; 336 | HANDLE hPort; 337 | SIZE_T nLen; 338 | void* lpMem; 339 | BYTE bTemp; 340 | 341 | 342 | // pipsrvobj.StartServerPip(); 343 | 344 | // 初始化PidVec/保证回调中能进入循环 345 | PidVec.push_back(8888); 346 | 347 | RtlInitUnicodeString(&usPortName, PortName); 348 | InitializeObjectAttributes(&objPort, &usPortName, 0, 0, 0); 349 | RtlSecureZeroMemory(&serverPortAttr, sizeof(serverPortAttr)); 350 | serverPortAttr.MaxMessageLength = 0x500; 351 | ntRet = NtAlpcCreatePort(&hPort, &objPort, &serverPortAttr); 352 | if (!ntRet) 353 | { 354 | nLen = 0x500; 355 | ntRet = NtAlpcSendWaitReceivePort(hPort, 0, NULL, NULL, &pmReceive, &nLen, NULL, NULL); 356 | // Analysis universMsg 357 | UNIVERMSG* Msg = (UNIVERMSG*)((BYTE*)&pmReceive + sizeof(PORT_MESSAGE)); 358 | if (!ntRet) 359 | { 360 | switch (Msg->ControlId) 361 | { 362 | case ALPC_DRIVER_CONNECTSERVER: 363 | { 364 | // 发送上线成功消息/发送事件句柄 365 | RtlSecureZeroMemory(&pmRequest, sizeof(pmRequest)); 366 | pmRequest.MessageId = pmReceive.MessageId; 367 | UNIVERMSG universmg = { 0, }; 368 | universmg.ControlId = ALPC_DRIVER_CONNECTSERVER_RECV; 369 | // r3事件句柄 370 | //if (Injecteventhandle) 371 | // universmg.Event = (ULONG)Injecteventhandle; 372 | pmRequest.u1.s1.DataLength = sizeof(UNIVERMSG); 373 | pmRequest.u1.s1.TotalLength = pmRequest.u1.s1.DataLength + sizeof(PORT_MESSAGE); 374 | lpMem = CreateMsgMem(&pmRequest, sizeof(UNIVERMSG), &universmg); 375 | } 376 | break; 377 | case ALPC_DLL_CONNECTSERVER: 378 | { 379 | // 发送上线成功消息/发送事件句柄 380 | RtlSecureZeroMemory(&pmRequest, sizeof(pmRequest)); 381 | pmRequest.MessageId = pmReceive.MessageId; 382 | UNIVERMSG universmg = { 0, }; 383 | universmg.ControlId = ALPC_DLL_CONNECTSERVER_RECV; 384 | // r3事件句柄 385 | //if (Injecteventhandle) 386 | // universmg.Event = (ULONG)Injecteventhandle; 387 | pmRequest.u1.s1.DataLength = sizeof(UNIVERMSG); 388 | pmRequest.u1.s1.TotalLength = pmRequest.u1.s1.DataLength + sizeof(PORT_MESSAGE); 389 | lpMem = CreateMsgMem(&pmRequest, sizeof(UNIVERMSG), &universmg); 390 | } 391 | break; 392 | default: 393 | break; 394 | } 395 | ntRet = NtAlpcAcceptConnectPort(&hConnectedPort, 396 | hPort, 397 | 0, 398 | NULL, 399 | NULL, 400 | NULL, 401 | (PPORT_MESSAGE)lpMem, 402 | NULL, 403 | TRUE); 404 | HeapFree(GetProcessHeap(), 0, lpMem); 405 | lpMem = NULL; 406 | if (ntRet != 0) 407 | return; 408 | 409 | bBreak = TRUE; 410 | while (bBreak) 411 | { 412 | // 413 | // 单线程:循环接收客户端消息 414 | // 多线程:区分客户端/资源共享等操作 415 | // 416 | NtAlpcSendWaitReceivePort(hPort, 0, NULL, NULL, (PPORT_MESSAGE)&pmReceive, &nLen, NULL, NULL); 417 | // Empty Msg 418 | if (0 >= pmReceive.u1.s1.DataLength) 419 | break; 420 | // Dispatch Msg 421 | DispatchMsgHandle(&pmReceive, &hConnectedPort, pmReceive.MessageId); 422 | } 423 | } 424 | } 425 | } 426 | 427 | /* 428 | @public: 429 | 负责向客户端发送 430 | */ 431 | void AlpcSendtoClientMsg( 432 | HANDLE sendPort, 433 | UNIVERMSG* univermsg, 434 | const int msgid) 435 | { 436 | PORT_MESSAGE pmSend; 437 | ULONG nRet; 438 | RtlSecureZeroMemory(&pmSend, sizeof(pmSend)); 439 | pmSend.MessageId = msgid; 440 | pmSend.u1.s1.DataLength = sizeof(UNIVERMSG); 441 | pmSend.u1.s1.TotalLength = pmSend.u1.s1.DataLength + sizeof(PORT_MESSAGE); 442 | 443 | int nlen = sizeof(UNIVERMSG) + sizeof(PORT_MESSAGE) + 1; 444 | PVOID lpMem; 445 | lpMem = malloc(nlen); 446 | if (!lpMem) 447 | return; 448 | memcpy(lpMem, &pmSend, sizeof(PORT_MESSAGE)); 449 | memcpy((void*)((BYTE*)lpMem + sizeof(PORT_MESSAGE)), univermsg, sizeof(UNIVERMSG)); 450 | nRet = NtAlpcSendWaitReceivePort(sendPort, 0, (PPORT_MESSAGE)lpMem, NULL, NULL, NULL, NULL, NULL); 451 | free(lpMem); 452 | lpMem = NULL; 453 | } 454 | 455 | void InitEvent() 456 | { 457 | // 458 | // Init Event Handle 459 | // 460 | Injecteventhandle = CreateEvent(NULL, FALSE, FALSE, NULL); 461 | Monitoreventhandle = CreateEvent(NULL, FALSE, FALSE, NULL); 462 | } -------------------------------------------------------------------------------- /CveServer/HlprServerAlpc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #pragma comment(lib,"alpc.lib") 3 | #pragma comment(lib,"ntdll.lib") 4 | 5 | 6 | // Exec struct 7 | typedef struct _UNIVERMSG 8 | { 9 | ULONG ControlId; // Command function Id 10 | ULONG Event; // Event 11 | }UNIVERMSG, *PUNIVERMSG; 12 | 13 | // DIRVER_INJECT_DLL 14 | typedef struct _DIRVER_INJECT_DLL 15 | { 16 | UNIVERMSG univermsg; // ALL Port Analys MSG 17 | PVOID ImageBase; 18 | ULONG Pids; 19 | wchar_t MsgData[10]; 20 | }DIRVER_INJECT_DLL, *PDIRVER_INJECT_DLL; 21 | 22 | typedef struct _MONITORCVEINFO 23 | { 24 | UNIVERMSG univermsg; 25 | wchar_t cvename[30]; // CVE Name 26 | int Pid; // Process Pid 27 | }MONITORCVEINFO, *PMONITORCVEINFO; 28 | 29 | 30 | void AlpcPortStart(wchar_t* PortName); 31 | 32 | void AlpcSendtoClientMsg(HANDLE sendPort, UNIVERMSG* univermsg, const int msgid); 33 | 34 | void InitEvent(); -------------------------------------------------------------------------------- /CveServer/HlprServerPip.cpp: -------------------------------------------------------------------------------- 1 | #include "HlprServerPip.h" 2 | #include 3 | #include 4 | 5 | using namespace std; 6 | 7 | HANDLE m_PipHandle; 8 | 9 | HlprServerPip::HlprServerPip() 10 | { 11 | 12 | } 13 | 14 | HlprServerPip::~HlprServerPip() 15 | { 16 | 17 | } 18 | 19 | int HlprServerPip::StartServerPip( 20 | ) 21 | { 22 | m_PipHandle = CreateNamedPipeW(L"\\\\.\\Pipe\\uiport", PIPE_ACCESS_DUPLEX, PIPE_TYPE_BYTE | PIPE_READMODE_BYTE, 1, 0, 0, 1000, NULL); 23 | if (m_PipHandle == INVALID_HANDLE_VALUE) 24 | { 25 | // Log 26 | cout << "[+]CreateNamedPipeW Error: %d\r\n" << GetLastError() << endl; 27 | return -1; 28 | } 29 | 30 | // Wait UI-Connect 31 | BOOL nRet = ConnectNamedPipe(m_PipHandle, NULL); 32 | if (!nRet) 33 | { 34 | // Log 35 | cout << "[+]ConnectNamedPipe Client Connect: %d\r\n" << GetLastError() << endl; 36 | return -1; 37 | } 38 | 39 | return 0; 40 | } 41 | 42 | int HlprServerPip::PipSendMsg( 43 | wchar_t* buf, 44 | const int bufLen 45 | ) 46 | { 47 | if (m_PipHandle) 48 | { 49 | DWORD wrtSize = 0; 50 | BOOL nRet = WriteFile(m_PipHandle, buf, bufLen, &wrtSize, NULL); 51 | if (!nRet) 52 | return -1; 53 | else 54 | return 0; 55 | } 56 | 57 | return 0; 58 | } 59 | 60 | void HlprServerPip::PipClose() 61 | { 62 | if (m_PipHandle) 63 | CloseHandle(m_PipHandle); 64 | m_PipHandle = NULL; 65 | } -------------------------------------------------------------------------------- /CveServer/HlprServerPip.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | class HlprServerPip 4 | { 5 | HlprServerPip(); 6 | ~HlprServerPip(); 7 | 8 | private: 9 | 10 | 11 | public: 12 | int StartServerPip(); 13 | int PipSendMsg(wchar_t* buf, const int bufLen); 14 | void PipClose(); 15 | }; 16 | 17 | -------------------------------------------------------------------------------- /CveServer/InjectMonProcess.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | int InjectDLLStart(wchar_t* DllPath, const DWORD Pids); 5 | 6 | int ApcInjectDLLStar(const DWORD Pids); -------------------------------------------------------------------------------- /CveServer/InjectMonProcessTest.cpp: -------------------------------------------------------------------------------- 1 | // RemoteThread.cpp : 定义控制台应用程序的入口点。 2 | // 3 | #include 4 | #include 5 | #include 6 | // #include "../alpc/ntlpcapi.h" 7 | 8 | 9 | typedef NTSTATUS(WINAPI* P_NtAllocateVirtualMemory)( 10 | IN HANDLE ProcessHandle, 11 | PVOID *BaseAddress, 12 | IN ULONG_PTR ZeroBits, 13 | PSIZE_T RegionSize, 14 | IN ULONG AllocationType, 15 | IN ULONG Protect); 16 | 17 | P_NtAllocateVirtualMemory Sys_NtAllocateVirtualMemory; 18 | 19 | using namespace std; 20 | BOOL EnableDebugPrivilege(); 21 | BOOL InjectDllByRemoteThread(ULONG32 ulTargetProcessID, WCHAR* wzDllFullPath); 22 | 23 | HANDLE InjectLow_OpenProcess(const int process_id) 24 | { 25 | /// 26 | // open target process with the access rights we need 27 | // 28 | 29 | const ULONG _DesiredAccess = 30 | PROCESS_DUP_HANDLE | PROCESS_TERMINATE | PROCESS_SUSPEND_RESUME 31 | | PROCESS_SET_INFORMATION | PROCESS_QUERY_INFORMATION 32 | | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE; 33 | 34 | HANDLE hProcess = OpenProcess(_DesiredAccess, FALSE, process_id); 35 | 36 | if (hProcess) { 37 | return hProcess; 38 | } 39 | CloseHandle(hProcess); 40 | return NULL; 41 | } 42 | 43 | int InjectDLLStart(wchar_t* DllPath, const DWORD Pids) 44 | { 45 | HMODULE __NtdHand = GetModuleHandle(L"ntdll.dll"); 46 | if (__NtdHand) 47 | Sys_NtAllocateVirtualMemory = (P_NtAllocateVirtualMemory)GetProcAddress(__NtdHand, "NtAllocateVirtualMemory"); 48 | 49 | // MEM_RESERVE 50 | HANDLE addr = GetProcessHeap(); 51 | UCHAR* tramp = (UCHAR*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 128); 52 | if (tramp) 53 | { 54 | memset(tramp, 0, 128); 55 | } 56 | int i = GetLastError(); 57 | if (EnableDebugPrivilege() == FALSE) 58 | { 59 | return 0; 60 | } 61 | 62 | if (Pids < 0) 63 | { 64 | return 0; 65 | } 66 | 67 | WCHAR wzDllFullPath[MAX_PATH] = { 0 }; 68 | #ifdef _WIN64 69 | wcsncat_s(wzDllFullPath, DllPath, 15); 70 | #else 71 | wcsncat_s(wzDllFullPath, DllPath, 20); 72 | #endif 73 | return InjectDllByRemoteThread(Pids, wzDllFullPath); 74 | } 75 | 76 | BOOL InjectDllByRemoteThread(ULONG32 ulTargetProcessID, WCHAR* wzDllFullPath) 77 | { 78 | void *remote_addr = NULL; 79 | HANDLE TargetProcessHandle = NULL; 80 | TargetProcessHandle = InjectLow_OpenProcess(ulTargetProcessID); 81 | if (NULL == TargetProcessHandle) 82 | { 83 | printf("failed to open process!!\n"); 84 | return FALSE; 85 | } 86 | 87 | // WCHAR* VirtualAddress = NULL; 88 | ULONG32 ulDllLength = (ULONG32)_tcslen(wzDllFullPath) + 1; 89 | SIZE_T region_size = ulDllLength * sizeof(WCHAR); 90 | 91 | //ALLOC Address for Dllpath 92 | for (int i = 8; !remote_addr && i > 2; i--) { 93 | NTSTATUS status = Sys_NtAllocateVirtualMemory(TargetProcessHandle, &remote_addr, i, ®ion_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 94 | } 95 | // VirtualAddress = (WCHAR*)VirtualAllocEx(TargetProcessHandle, NULL, , MEM_COMMIT, PAGE_READWRITE); 96 | if (NULL == remote_addr) 97 | { 98 | printf("failed to Alloc!!\n"); 99 | CloseHandle(TargetProcessHandle); 100 | return FALSE; 101 | } 102 | // write 103 | if (FALSE == WriteProcessMemory(TargetProcessHandle, remote_addr, (LPVOID)wzDllFullPath, ulDllLength * sizeof(WCHAR), NULL)) 104 | { 105 | printf("failed to write!!\n"); 106 | VirtualFreeEx(TargetProcessHandle, remote_addr, ulDllLength, MEM_DECOMMIT); 107 | CloseHandle(TargetProcessHandle); 108 | return FALSE; 109 | } 110 | LPTHREAD_START_ROUTINE FunctionAddress = NULL; 111 | FunctionAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW"); 112 | HANDLE ThreadHandle = INVALID_HANDLE_VALUE; 113 | //start 114 | ThreadHandle = CreateRemoteThread(TargetProcessHandle, NULL, 0, FunctionAddress, remote_addr, 0, NULL); 115 | if (NULL == ThreadHandle) 116 | { 117 | VirtualFreeEx(TargetProcessHandle, remote_addr, ulDllLength, MEM_DECOMMIT); 118 | CloseHandle(TargetProcessHandle); 119 | return FALSE; 120 | } 121 | // WaitForSingleObject 122 | WaitForSingleObject(ThreadHandle, INFINITE); 123 | VirtualFreeEx(TargetProcessHandle, remote_addr, ulDllLength, MEM_DECOMMIT); // 清理 124 | CloseHandle(ThreadHandle); 125 | CloseHandle(TargetProcessHandle); 126 | return TRUE; 127 | } 128 | 129 | BOOL EnableDebugPrivilege() 130 | { 131 | HANDLE TokenHandle = NULL; 132 | TOKEN_PRIVILEGES TokenPrivilege; 133 | LUID uID; 134 | //打开权限令牌 135 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle)) 136 | { 137 | return FALSE; 138 | } 139 | if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uID)) 140 | { 141 | CloseHandle(TokenHandle); 142 | TokenHandle = INVALID_HANDLE_VALUE; 143 | return FALSE; 144 | } 145 | TokenPrivilege.PrivilegeCount = 1; 146 | TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 147 | TokenPrivilege.Privileges[0].Luid = uID; 148 | if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivilege, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) 149 | //调整权限 150 | { 151 | CloseHandle(TokenHandle); 152 | TokenHandle = INVALID_HANDLE_VALUE; 153 | return FALSE; 154 | } 155 | CloseHandle(TokenHandle); 156 | TokenHandle = INVALID_HANDLE_VALUE; 157 | return TRUE; 158 | } -------------------------------------------------------------------------------- /CveServer/Release/CveServer.Build.CppClean.log: -------------------------------------------------------------------------------- 1 | f:\exp\cveserver\release\vc141.pdb 2 | f:\exp\cveserver\release\injectmonprocesstest.obj 3 | f:\exp\cveserver\release\hlprserveralpcport.obj 4 | f:\exp\cveserver\release\cveserver.obj 5 | f:\exp\release\cveserver.ipdb 6 | f:\exp\release\cveserver.iobj 7 | f:\exp\release\cveserver.exe 8 | f:\exp\release\cveserver.pdb 9 | f:\exp\cveserver\release\cveserver.tlog\cl.command.1.tlog 10 | f:\exp\cveserver\release\cveserver.tlog\cl.read.1.tlog 11 | f:\exp\cveserver\release\cveserver.tlog\cl.write.1.tlog 12 | f:\exp\cveserver\release\cveserver.tlog\cveserver.write.1u.tlog 13 | f:\exp\cveserver\release\cveserver.tlog\link.command.1.tlog 14 | f:\exp\cveserver\release\cveserver.tlog\link.read.1.tlog 15 | f:\exp\cveserver\release\cveserver.tlog\link.write.1.tlog 16 | -------------------------------------------------------------------------------- /CveServer/Release/CveServer.log: -------------------------------------------------------------------------------- 1 |  CveServer.cpp 2 | HlprServerAlpcPort.cpp 3 | InjectMonProcessTest.cpp 4 | Generating code 5 | All 6 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 6 | Finished generating code 7 | CveServer.vcxproj -> F:\Exp\Release\CveServer.exe 8 | -------------------------------------------------------------------------------- /CveServer/Release/CveServer.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Release/CveServer.obj -------------------------------------------------------------------------------- /CveServer/Release/CveServer.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Release/CveServer.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /CveServer/Release/CveServer.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Release/CveServer.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /CveServer/Release/CveServer.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Release/CveServer.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /CveServer/Release/CveServer.tlog/CveServer.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 2 | Release|Win32|F:\Exp\| 3 | -------------------------------------------------------------------------------- /CveServer/Release/CveServer.tlog/CveServer.write.1u.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Release/CveServer.tlog/CveServer.write.1u.tlog -------------------------------------------------------------------------------- /CveServer/Release/CveServer.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Release/CveServer.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /CveServer/Release/CveServer.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Release/CveServer.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /CveServer/Release/CveServer.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Release/CveServer.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /CveServer/Release/HlprServerAlpcPort.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Release/HlprServerAlpcPort.obj -------------------------------------------------------------------------------- /CveServer/Release/InjectMonProcessTest.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Release/InjectMonProcessTest.obj -------------------------------------------------------------------------------- /CveServer/Release/vc141.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/Release/vc141.pdb -------------------------------------------------------------------------------- /CveServer/ntbasic.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTBASIC_H 2 | #define _NTBASIC_H 3 | #include 4 | 5 | #ifndef _NTDEF_ 6 | 7 | // This header file provides basic NT types not included in Win32. 8 | 9 | #ifndef NOTHING 10 | #define NOTHING 11 | #endif 12 | 13 | // Basic types 14 | 15 | typedef struct _QUAD 16 | { 17 | double DoNotUseThisField; 18 | } QUAD, *PQUAD, UQUAD, *PUQUAD; 19 | 20 | // This isn't in NT, but it's useful. 21 | typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR 22 | { 23 | ULONG_PTR DoNotUseThisField1; 24 | ULONG_PTR DoNotUseThisField2; 25 | } QUAD_PTR, *PQUAD_PTR, UQUAD_PTR, *PUQUAD_PTR; 26 | 27 | typedef PVOID *PPVOID; 28 | 29 | typedef ULONG LOGICAL; 30 | typedef ULONG *PLOGICAL; 31 | 32 | typedef __success(return >= 0) LONG NTSTATUS; 33 | typedef NTSTATUS *PNTSTATUS; 34 | 35 | // Cardinal types 36 | 37 | typedef char CCHAR; 38 | typedef short CSHORT; 39 | typedef ULONG CLONG; 40 | 41 | typedef CCHAR *PCCHAR; 42 | typedef CSHORT *PCSHORT; 43 | typedef CLONG *PCLONG; 44 | 45 | // Specific 46 | 47 | typedef UCHAR KIRQL, *PKIRQL; 48 | typedef LONG KPRIORITY; 49 | typedef USHORT RTL_ATOM, *PRTL_ATOM; 50 | 51 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; 52 | 53 | // NT status macros 54 | 55 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 56 | #define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1) 57 | #define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2) 58 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) 59 | 60 | #define NT_FACILITY_MASK 0xfff 61 | #define NT_FACILITY_SHIFT 16 62 | #define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK) 63 | 64 | #define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32) 65 | #define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff) 66 | 67 | // Functions 68 | 69 | #ifdef _M_IX86 70 | #define FASTCALL __fastcall 71 | #else 72 | #define FASTCALL 73 | #endif 74 | 75 | // Synchronization enumerations 76 | 77 | typedef enum _EVENT_TYPE 78 | { 79 | NotificationEvent, 80 | SynchronizationEvent 81 | } EVENT_TYPE; 82 | 83 | typedef enum _TIMER_TYPE 84 | { 85 | NotificationTimer, 86 | SynchronizationTimer 87 | } TIMER_TYPE; 88 | 89 | typedef enum _WAIT_TYPE 90 | { 91 | WaitAll, 92 | WaitAny 93 | } WAIT_TYPE; 94 | 95 | // Strings 96 | 97 | typedef struct _STRING 98 | { 99 | USHORT Length; 100 | USHORT MaximumLength; 101 | __field_bcount_part_opt(MaximumLength, Length) PCHAR Buffer; 102 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING; 103 | 104 | typedef const STRING *PCSTRING; 105 | typedef const ANSI_STRING *PCANSI_STRING; 106 | typedef const OEM_STRING *PCOEM_STRING; 107 | 108 | typedef struct _UNICODE_STRING 109 | { 110 | USHORT Length; 111 | USHORT MaximumLength; 112 | __field_bcount_part(MaximumLength, Length) PWCH Buffer; 113 | } UNICODE_STRING, *PUNICODE_STRING; 114 | 115 | typedef const UNICODE_STRING *PCUNICODE_STRING; 116 | 117 | #define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), s } 118 | 119 | // Balanced tree node 120 | 121 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 122 | 123 | typedef struct _RTL_BALANCED_NODE 124 | { 125 | union 126 | { 127 | struct _RTL_BALANCED_NODE *Children[2]; 128 | struct 129 | { 130 | struct _RTL_BALANCED_NODE *Left; 131 | struct _RTL_BALANCED_NODE *Right; 132 | }; 133 | }; 134 | union 135 | { 136 | UCHAR Red : 1; 137 | UCHAR Balance : 2; 138 | ULONG_PTR ParentValue; 139 | }; 140 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; 141 | 142 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK)) 143 | 144 | // Portability 145 | 146 | typedef struct _SINGLE_LIST_ENTRY32 147 | { 148 | ULONG Next; 149 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32; 150 | 151 | typedef struct _STRING32 152 | { 153 | USHORT Length; 154 | USHORT MaximumLength; 155 | ULONG Buffer; 156 | } STRING32, *PSTRING32; 157 | 158 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32; 159 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32; 160 | 161 | typedef struct _STRING64 162 | { 163 | USHORT Length; 164 | USHORT MaximumLength; 165 | ULONGLONG Buffer; 166 | } STRING64, *PSTRING64; 167 | 168 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64; 169 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64; 170 | 171 | // Object attributes 172 | 173 | #define OBJ_INHERIT 0x00000002 174 | #define OBJ_PERMANENT 0x00000010 175 | #define OBJ_EXCLUSIVE 0x00000020 176 | #define OBJ_CASE_INSENSITIVE 0x00000040 177 | #define OBJ_OPENIF 0x00000080 178 | #define OBJ_OPENLINK 0x00000100 179 | #define OBJ_KERNEL_HANDLE 0x00000200 180 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400 181 | #define OBJ_VALID_ATTRIBUTES 0x000007f2 182 | 183 | typedef struct _OBJECT_ATTRIBUTES 184 | { 185 | ULONG Length; 186 | HANDLE RootDirectory; 187 | PUNICODE_STRING ObjectName; 188 | ULONG Attributes; 189 | PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; 190 | PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE 191 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 192 | 193 | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; 194 | 195 | #define InitializeObjectAttributes(p, n, a, r, s) { \ 196 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 197 | (p)->RootDirectory = r; \ 198 | (p)->Attributes = a; \ 199 | (p)->ObjectName = n; \ 200 | (p)->SecurityDescriptor = s; \ 201 | (p)->SecurityQualityOfService = NULL; \ 202 | } 203 | 204 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } 205 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) 206 | 207 | // Portability 208 | 209 | typedef struct _OBJECT_ATTRIBUTES64 210 | { 211 | ULONG Length; 212 | ULONG64 RootDirectory; 213 | ULONG64 ObjectName; 214 | ULONG Attributes; 215 | ULONG64 SecurityDescriptor; 216 | ULONG64 SecurityQualityOfService; 217 | } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64; 218 | 219 | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64; 220 | 221 | typedef struct _OBJECT_ATTRIBUTES32 222 | { 223 | ULONG Length; 224 | ULONG RootDirectory; 225 | ULONG ObjectName; 226 | ULONG Attributes; 227 | ULONG SecurityDescriptor; 228 | ULONG SecurityQualityOfService; 229 | } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32; 230 | 231 | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32; 232 | 233 | // Product types 234 | 235 | typedef enum _NT_PRODUCT_TYPE 236 | { 237 | NtProductWinNt = 1, 238 | NtProductLanManNt, 239 | NtProductServer 240 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; 241 | 242 | typedef enum _SUITE_TYPE 243 | { 244 | SmallBusiness, 245 | Enterprise, 246 | BackOffice, 247 | CommunicationServer, 248 | TerminalServer, 249 | SmallBusinessRestricted, 250 | EmbeddedNT, 251 | DataCenter, 252 | SingleUserTS, 253 | Personal, 254 | Blade, 255 | EmbeddedRestricted, 256 | SecurityAppliance, 257 | StorageServer, 258 | ComputeServer, 259 | WHServer, 260 | PhoneNT, 261 | MaxSuiteType 262 | } SUITE_TYPE; 263 | 264 | // Specific 265 | 266 | typedef struct _CLIENT_ID 267 | { 268 | HANDLE UniqueProcess; 269 | HANDLE UniqueThread; 270 | } CLIENT_ID, *PCLIENT_ID; 271 | 272 | typedef struct _CLIENT_ID32 273 | { 274 | ULONG UniqueProcess; 275 | ULONG UniqueThread; 276 | } CLIENT_ID32, *PCLIENT_ID32; 277 | 278 | typedef struct _CLIENT_ID64 279 | { 280 | ULONGLONG UniqueProcess; 281 | ULONGLONG UniqueThread; 282 | } CLIENT_ID64, *PCLIENT_ID64; 283 | 284 | #include 285 | 286 | typedef struct _KSYSTEM_TIME 287 | { 288 | ULONG LowPart; 289 | LONG High1Time; 290 | LONG High2Time; 291 | } KSYSTEM_TIME, *PKSYSTEM_TIME; 292 | 293 | #include 294 | 295 | #endif 296 | 297 | #endif 298 | -------------------------------------------------------------------------------- /CveServer/x64/Debug/CveServer.log: -------------------------------------------------------------------------------- 1 | F:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(402,5): warning MSB8038: Spectre mitigation is enabled but Spectre mitigated libraries are not found. Verify that the Visual Studio Workload includes the Spectre mitigated libraries. See https://aka.ms/Ofhn4c for more information. 2 | CveServer.cpp 3 | HlprServerAlpcPort.cpp 4 | f:\exp\cveserver\hlprserveralpcport.cpp(234): error C2664: 'NTSTATUS NtAlpcSendWaitReceivePort(HANDLE,ULONG,PPORT_MESSAGE,PALPC_MESSAGE_ATTRIBUTES,PPORT_MESSAGE,PULONG,PALPC_MESSAGE_ATTRIBUTES,PLARGE_INTEGER)': cannot convert argument 6 from 'SIZE_T *' to 'PULONG' 5 | f:\exp\cveserver\hlprserveralpcport.cpp(234): note: Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast 6 | f:\exp\cveserver\hlprserveralpcport.cpp(250): error C2664: 'NTSTATUS NtAlpcSendWaitReceivePort(HANDLE,ULONG,PPORT_MESSAGE,PALPC_MESSAGE_ATTRIBUTES,PPORT_MESSAGE,PULONG,PALPC_MESSAGE_ATTRIBUTES,PLARGE_INTEGER)': cannot convert argument 6 from 'SIZE_T *' to 'PULONG' 7 | f:\exp\cveserver\hlprserveralpcport.cpp(250): note: Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast 8 | InjectMonProcessTest.cpp 9 | Generating Code... 10 | f:\exp\cveserver\injectmonprocesstest.cpp(82): warning C4715: 'InjectDllByRemoteThread': not all control paths return a value 11 | -------------------------------------------------------------------------------- /CveServer/x64/Debug/CveServer.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/x64/Debug/CveServer.obj -------------------------------------------------------------------------------- /CveServer/x64/Debug/CveServer.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/x64/Debug/CveServer.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /CveServer/x64/Debug/CveServer.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/x64/Debug/CveServer.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /CveServer/x64/Debug/CveServer.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/CveServer/x64/Debug/CveServer.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /CveServer/x64/Debug/CveServer.tlog/CveServer.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 2 | Debug|x64|F:\Exp\| 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ### 代码文档: https://bbs.pediy.com/thread-266891.htm 2 | -------------------------------------------------------------------------------- /alpc/Debug/alpc.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Debug/alpc.idb -------------------------------------------------------------------------------- /alpc/Debug/alpc.log: -------------------------------------------------------------------------------- 1 |  ntlpcapi.c 2 | alpc.vcxproj -> F:\Exp\alpc\..\lib\Win32\alpc.lib 3 | -------------------------------------------------------------------------------- /alpc/Debug/alpc.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Debug/alpc.pdb -------------------------------------------------------------------------------- /alpc/Debug/alpc.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Debug/alpc.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /alpc/Debug/alpc.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Debug/alpc.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /alpc/Debug/alpc.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Debug/alpc.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /alpc/Debug/alpc.tlog/Lib-link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Debug/alpc.tlog/Lib-link.read.1.tlog -------------------------------------------------------------------------------- /alpc/Debug/alpc.tlog/Lib-link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Debug/alpc.tlog/Lib-link.write.1.tlog -------------------------------------------------------------------------------- /alpc/Debug/alpc.tlog/Lib.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Debug/alpc.tlog/Lib.command.1.tlog -------------------------------------------------------------------------------- /alpc/Debug/alpc.tlog/alpc.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 2 | Debug|Win32|F:\Exp\| 3 | -------------------------------------------------------------------------------- /alpc/Debug/ntlpcapi.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Debug/ntlpcapi.obj -------------------------------------------------------------------------------- /alpc/Release/alpc.Build.CppClean.log: -------------------------------------------------------------------------------- 1 | f:\exp\alpc\release\alpc.pdb 2 | f:\exp\alpc\release\ntlpcapi.obj 3 | f:\exp\lib\win32\alpc.lib 4 | f:\exp\alpc\..\lib\win32\alpc.lib 5 | f:\exp\alpc\release\alpc.tlog\cl.command.1.tlog 6 | f:\exp\alpc\release\alpc.tlog\cl.read.1.tlog 7 | f:\exp\alpc\release\alpc.tlog\cl.write.1.tlog 8 | f:\exp\alpc\release\alpc.tlog\lib-link.read.1.tlog 9 | f:\exp\alpc\release\alpc.tlog\lib-link.write.1.tlog 10 | f:\exp\alpc\release\alpc.tlog\lib.command.1.tlog 11 | -------------------------------------------------------------------------------- /alpc/Release/alpc.log: -------------------------------------------------------------------------------- 1 |  ntlpcapi.c 2 | alpc.vcxproj -> F:\Exp\alpc\..\lib\Win32\alpc.lib 3 | -------------------------------------------------------------------------------- /alpc/Release/alpc.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Release/alpc.pdb -------------------------------------------------------------------------------- /alpc/Release/alpc.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Release/alpc.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /alpc/Release/alpc.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Release/alpc.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /alpc/Release/alpc.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Release/alpc.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /alpc/Release/alpc.tlog/Lib-link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Release/alpc.tlog/Lib-link.read.1.tlog -------------------------------------------------------------------------------- /alpc/Release/alpc.tlog/Lib-link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Release/alpc.tlog/Lib-link.write.1.tlog -------------------------------------------------------------------------------- /alpc/Release/alpc.tlog/Lib.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Release/alpc.tlog/Lib.command.1.tlog -------------------------------------------------------------------------------- /alpc/Release/alpc.tlog/alpc.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 2 | Release|Win32|F:\Exp\| 3 | -------------------------------------------------------------------------------- /alpc/Release/ntlpcapi.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/Release/ntlpcapi.obj -------------------------------------------------------------------------------- /alpc/UserModeDefs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ntlpcapi.h" 3 | 4 | NTSYSAPI 5 | VOID 6 | NTAPI 7 | RtlInitUnicodeString( 8 | _Out_ PUNICODE_STRING DestinationString, 9 | _In_opt_z_ __drv_aliasesMem PCWSTR SourceString 10 | ); 11 | 12 | NTSYSAPI 13 | NTSTATUS 14 | NTAPI 15 | ZwCreateSection ( 16 | _Out_ PHANDLE SectionHandle, 17 | _In_ ACCESS_MASK DesiredAccess, 18 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 19 | _In_opt_ PLARGE_INTEGER MaximumSize, 20 | _In_ ULONG SectionPageProtection, 21 | _In_ ULONG AllocationAttributes, 22 | _In_opt_ HANDLE FileHandle 23 | ); -------------------------------------------------------------------------------- /alpc/alpc.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 15.0 32 | {5233E37E-4D5C-4EC7-B0E1-4F9E1807BCC3} 33 | Win32Proj 34 | alpc 35 | 10.0.17763.0 36 | 37 | 38 | 39 | StaticLibrary 40 | true 41 | v141 42 | Unicode 43 | false 44 | 45 | 46 | StaticLibrary 47 | false 48 | v141 49 | true 50 | Unicode 51 | false 52 | 53 | 54 | Application 55 | true 56 | v141 57 | Unicode 58 | 59 | 60 | Application 61 | false 62 | v141 63 | true 64 | Unicode 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | true 86 | ..\lib\$(Platform)\ 87 | .lib 88 | 89 | 90 | true 91 | 92 | 93 | false 94 | ..\lib\$(Platform)\ 95 | 96 | 97 | false 98 | 99 | 100 | 101 | NotUsing 102 | Level3 103 | Disabled 104 | WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions) 105 | false 106 | MultiThreadedDebug 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | MachineX86 114 | 115 | 116 | 117 | 118 | 119 | 120 | Level3 121 | Disabled 122 | true 123 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 124 | true 125 | 126 | 127 | Console 128 | true 129 | 130 | 131 | 132 | 133 | 134 | 135 | Level3 136 | MaxSpeed 137 | true 138 | true 139 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 140 | true 141 | 142 | 143 | Console 144 | true 145 | true 146 | true 147 | 148 | 149 | MachineX86 150 | 151 | 152 | 153 | 154 | 155 | 156 | Level3 157 | MaxSpeed 158 | true 159 | true 160 | true 161 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 162 | true 163 | 164 | 165 | Console 166 | true 167 | true 168 | true 169 | 170 | 171 | 172 | 173 | 174 | -------------------------------------------------------------------------------- /alpc/alpc.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /alpc/alpc.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /alpc/ntbasic.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTBASIC_H 2 | #define _NTBASIC_H 3 | 4 | // #include 5 | #include 6 | 7 | #ifndef _NTDEF_ 8 | 9 | // This header file provides basic NT types not included in Win32. 10 | 11 | #ifndef NOTHING 12 | #define NOTHING 13 | #endif 14 | 15 | // Basic types 16 | 17 | typedef struct _QUAD 18 | { 19 | double DoNotUseThisField; 20 | } QUAD, *PQUAD, UQUAD, *PUQUAD; 21 | 22 | // This isn't in NT, but it's useful. 23 | typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR 24 | { 25 | ULONG_PTR DoNotUseThisField1; 26 | ULONG_PTR DoNotUseThisField2; 27 | } QUAD_PTR, *PQUAD_PTR, UQUAD_PTR, *PUQUAD_PTR; 28 | 29 | typedef PVOID *PPVOID; 30 | 31 | typedef ULONG LOGICAL; 32 | typedef ULONG *PLOGICAL; 33 | 34 | typedef __success(return >= 0) LONG NTSTATUS; 35 | typedef NTSTATUS *PNTSTATUS; 36 | 37 | // Cardinal types 38 | 39 | typedef char CCHAR; 40 | typedef short CSHORT; 41 | typedef ULONG CLONG; 42 | 43 | typedef CCHAR *PCCHAR; 44 | typedef CSHORT *PCSHORT; 45 | typedef CLONG *PCLONG; 46 | 47 | // Specific 48 | 49 | typedef UCHAR KIRQL, *PKIRQL; 50 | typedef LONG KPRIORITY; 51 | typedef USHORT RTL_ATOM, *PRTL_ATOM; 52 | 53 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; 54 | 55 | // NT status macros 56 | 57 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 58 | #define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1) 59 | #define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2) 60 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) 61 | 62 | #define NT_FACILITY_MASK 0xfff 63 | #define NT_FACILITY_SHIFT 16 64 | #define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK) 65 | 66 | #define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32) 67 | #define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff) 68 | 69 | // Functions 70 | 71 | #ifdef _M_IX86 72 | #define FASTCALL __fastcall 73 | #else 74 | #define FASTCALL 75 | #endif 76 | 77 | // Synchronization enumerations 78 | 79 | typedef enum _EVENT_TYPE 80 | { 81 | NotificationEvent, 82 | SynchronizationEvent 83 | } EVENT_TYPE; 84 | 85 | typedef enum _TIMER_TYPE 86 | { 87 | NotificationTimer, 88 | SynchronizationTimer 89 | } TIMER_TYPE; 90 | 91 | typedef enum _WAIT_TYPE 92 | { 93 | WaitAll, 94 | WaitAny 95 | } WAIT_TYPE; 96 | 97 | // Strings 98 | 99 | typedef struct _STRING 100 | { 101 | USHORT Length; 102 | USHORT MaximumLength; 103 | __field_bcount_part_opt(MaximumLength, Length) PCHAR Buffer; 104 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING; 105 | 106 | typedef const STRING *PCSTRING; 107 | typedef const ANSI_STRING *PCANSI_STRING; 108 | typedef const OEM_STRING *PCOEM_STRING; 109 | 110 | typedef struct _UNICODE_STRING 111 | { 112 | USHORT Length; 113 | USHORT MaximumLength; 114 | __field_bcount_part(MaximumLength, Length) PWCH Buffer; 115 | } UNICODE_STRING, *PUNICODE_STRING; 116 | 117 | typedef const UNICODE_STRING *PCUNICODE_STRING; 118 | 119 | #define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), s } 120 | 121 | // Balanced tree node 122 | 123 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 124 | 125 | typedef struct _RTL_BALANCED_NODE 126 | { 127 | union 128 | { 129 | struct _RTL_BALANCED_NODE *Children[2]; 130 | struct 131 | { 132 | struct _RTL_BALANCED_NODE *Left; 133 | struct _RTL_BALANCED_NODE *Right; 134 | }; 135 | }; 136 | union 137 | { 138 | UCHAR Red : 1; 139 | UCHAR Balance : 2; 140 | ULONG_PTR ParentValue; 141 | }; 142 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; 143 | 144 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK)) 145 | 146 | // Portability 147 | 148 | typedef struct _SINGLE_LIST_ENTRY32 149 | { 150 | ULONG Next; 151 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32; 152 | 153 | typedef struct _STRING32 154 | { 155 | USHORT Length; 156 | USHORT MaximumLength; 157 | ULONG Buffer; 158 | } STRING32, *PSTRING32; 159 | 160 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32; 161 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32; 162 | 163 | typedef struct _STRING64 164 | { 165 | USHORT Length; 166 | USHORT MaximumLength; 167 | ULONGLONG Buffer; 168 | } STRING64, *PSTRING64; 169 | 170 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64; 171 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64; 172 | 173 | // Object attributes 174 | 175 | #define OBJ_INHERIT 0x00000002 176 | #define OBJ_PERMANENT 0x00000010 177 | #define OBJ_EXCLUSIVE 0x00000020 178 | #define OBJ_CASE_INSENSITIVE 0x00000040 179 | #define OBJ_OPENIF 0x00000080 180 | #define OBJ_OPENLINK 0x00000100 181 | #define OBJ_KERNEL_HANDLE 0x00000200 182 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400 183 | #define OBJ_VALID_ATTRIBUTES 0x000007f2 184 | 185 | typedef struct _OBJECT_ATTRIBUTES 186 | { 187 | ULONG Length; 188 | HANDLE RootDirectory; 189 | PUNICODE_STRING ObjectName; 190 | ULONG Attributes; 191 | PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; 192 | PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE 193 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 194 | 195 | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; 196 | 197 | #define InitializeObjectAttributes(p, n, a, r, s) { \ 198 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 199 | (p)->RootDirectory = r; \ 200 | (p)->Attributes = a; \ 201 | (p)->ObjectName = n; \ 202 | (p)->SecurityDescriptor = s; \ 203 | (p)->SecurityQualityOfService = NULL; \ 204 | } 205 | 206 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } 207 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) 208 | 209 | // Portability 210 | 211 | typedef struct _OBJECT_ATTRIBUTES64 212 | { 213 | ULONG Length; 214 | ULONG64 RootDirectory; 215 | ULONG64 ObjectName; 216 | ULONG Attributes; 217 | ULONG64 SecurityDescriptor; 218 | ULONG64 SecurityQualityOfService; 219 | } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64; 220 | 221 | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64; 222 | 223 | typedef struct _OBJECT_ATTRIBUTES32 224 | { 225 | ULONG Length; 226 | ULONG RootDirectory; 227 | ULONG ObjectName; 228 | ULONG Attributes; 229 | ULONG SecurityDescriptor; 230 | ULONG SecurityQualityOfService; 231 | } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32; 232 | 233 | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32; 234 | 235 | // Product types 236 | 237 | typedef enum _NT_PRODUCT_TYPE 238 | { 239 | NtProductWinNt = 1, 240 | NtProductLanManNt, 241 | NtProductServer 242 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; 243 | 244 | typedef enum _SUITE_TYPE 245 | { 246 | SmallBusiness, 247 | Enterprise, 248 | BackOffice, 249 | CommunicationServer, 250 | TerminalServer, 251 | SmallBusinessRestricted, 252 | EmbeddedNT, 253 | DataCenter, 254 | SingleUserTS, 255 | Personal, 256 | Blade, 257 | EmbeddedRestricted, 258 | SecurityAppliance, 259 | StorageServer, 260 | ComputeServer, 261 | WHServer, 262 | PhoneNT, 263 | MaxSuiteType 264 | } SUITE_TYPE; 265 | 266 | // Specific 267 | 268 | typedef struct _CLIENT_ID 269 | { 270 | HANDLE UniqueProcess; 271 | HANDLE UniqueThread; 272 | } CLIENT_ID, *PCLIENT_ID; 273 | 274 | typedef struct _CLIENT_ID32 275 | { 276 | ULONG UniqueProcess; 277 | ULONG UniqueThread; 278 | } CLIENT_ID32, *PCLIENT_ID32; 279 | 280 | typedef struct _CLIENT_ID64 281 | { 282 | ULONGLONG UniqueProcess; 283 | ULONGLONG UniqueThread; 284 | } CLIENT_ID64, *PCLIENT_ID64; 285 | 286 | #include 287 | 288 | typedef struct _KSYSTEM_TIME 289 | { 290 | ULONG LowPart; 291 | LONG High1Time; 292 | LONG High2Time; 293 | } KSYSTEM_TIME, *PKSYSTEM_TIME; 294 | 295 | #include 296 | 297 | #endif 298 | 299 | #endif 300 | -------------------------------------------------------------------------------- /alpc/ntdefs.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTDEFS_H_ 2 | #define _NTDEFS_H_ 3 | // #include 4 | #include 5 | 6 | #ifndef DECLSPEC_ALIGN 7 | #if (_MSC_VER >= 1300) && !defined(MIDL_PASS) 8 | #define DECLSPEC_ALIGN(x) __declspec(align(x)) 9 | #else 10 | #define DECLSPEC_ALIGN(x) 11 | #endif 12 | #endif 13 | 14 | typedef struct _QUAD { 15 | union { 16 | __int64 UseThisFieldToCopy; 17 | double DoNotUseThisField; 18 | } DUMMYUNIONNAME; 19 | 20 | } QUAD; 21 | 22 | typedef unsigned char UCHAR; 23 | typedef unsigned short USHORT; 24 | typedef unsigned long ULONG; 25 | typedef QUAD UQUAD; 26 | 27 | // 28 | // Cardinal Data Types [0 - 2**N-2) 29 | // 30 | 31 | typedef char CCHAR; // winnt 32 | typedef short CSHORT; 33 | typedef ULONG CLONG; 34 | 35 | typedef CCHAR *PCCHAR; 36 | typedef CSHORT *PCSHORT; 37 | typedef CLONG *PCLONG; 38 | 39 | // 40 | // UNICODE (Wide Character) types 41 | // 42 | #ifndef _MAC 43 | typedef wchar_t WCHAR; // wc, 16-bit UNICODE character 44 | #else 45 | // some Macintosh compilers don't define wchar_t in a convenient location, or define it as a char 46 | typedef unsigned short WCHAR; // wc, 16-bit UNICODE character 47 | #endif 48 | 49 | typedef WCHAR *PWCHAR, *LPWCH, *PWCH; 50 | 51 | #ifndef CONST 52 | #define CONST const 53 | #endif 54 | #ifdef STRICT 55 | 56 | typedef void *HANDLE; 57 | #if 0 && (_MSC_VER > 1000) 58 | #define DECLARE_HANDLE(name) struct name##__; typedef struct name##__ *name 59 | #else 60 | #define DECLARE_HANDLE(name) struct name##__{int unused;}; typedef struct name##__ *name 61 | #endif 62 | #else 63 | typedef PVOID HANDLE; 64 | #define DECLARE_HANDLE(name) typedef HANDLE name 65 | #endif 66 | typedef HANDLE *PHANDLE; 67 | 68 | typedef struct _UNICODE_STRING { 69 | USHORT Length; 70 | USHORT MaximumLength; 71 | #ifdef MIDL_PASS 72 | [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer; 73 | #else // MIDL_PASS 74 | _Field_size_bytes_part_(MaximumLength, Length) PWCH Buffer; 75 | #endif // MIDL_PASS 76 | } UNICODE_STRING; 77 | typedef UNICODE_STRING *PUNICODE_STRING; 78 | 79 | typedef struct _OBJECT_ATTRIBUTES { 80 | ULONG Length; 81 | HANDLE RootDirectory; 82 | PUNICODE_STRING ObjectName; 83 | ULONG Attributes; 84 | PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR 85 | PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE 86 | } OBJECT_ATTRIBUTES; 87 | typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES; 88 | typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; 89 | 90 | 91 | #endif -------------------------------------------------------------------------------- /alpc/ntlpcapi.c: -------------------------------------------------------------------------------- 1 | #include "ntlpcapi.h" 2 | 3 | -------------------------------------------------------------------------------- /alpc/ntlpcapi.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/ntlpcapi.h -------------------------------------------------------------------------------- /alpc/x64/Debug/alpc.log: -------------------------------------------------------------------------------- 1 | F:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppBuild.targets(402,5): warning MSB8038: Spectre mitigation is enabled but Spectre mitigated libraries are not found. Verify that the Visual Studio Workload includes the Spectre mitigated libraries. See https://aka.ms/Ofhn4c for more information. 2 | ntlpcapi.c 3 | LINK : fatal error LNK1104: cannot open file 'MSVCRTD.lib' 4 | -------------------------------------------------------------------------------- /alpc/x64/Debug/alpc.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/x64/Debug/alpc.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /alpc/x64/Debug/alpc.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/x64/Debug/alpc.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /alpc/x64/Debug/alpc.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/x64/Debug/alpc.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /alpc/x64/Debug/alpc.tlog/alpc.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0 2 | Debug|x64|F:\Exp\| 3 | -------------------------------------------------------------------------------- /alpc/x64/Debug/alpc.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/x64/Debug/alpc.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /alpc/x64/Debug/alpc.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/x64/Debug/alpc.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /alpc/x64/Debug/alpc.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/HIPS-HIDS_CveMod/5e9b5e831d9b0d8333ef2d7fbd0bbb8a512bfa89/alpc/x64/Debug/alpc.tlog/link.write.1.tlog --------------------------------------------------------------------------------